Assessing the Vulnerability of the UK to a Cyber-attack: A Multidisciplinary Analysis of Cyber Security.
This paper will demonstrate the vulnerabilities which are present in cyberspace and the vast number of threats to the United Kingdom from both a theoretical and practical perspective. The central argument of this paper is that the most general analysis of cyberspace and cybersecurity by international security studies scholars that cyberspace is merely an extension of war or a war-fighting domain is inherently unrepresentative of the true nature of the phenomena.
Cyberspace is a new and unique realm which lies outside of the warfighting domains. Although a crucial part of war-fighting its sheer interconnectivity and penetration into practically every aspect of our lives and society as whole merits the need for a new type of study. The paper will encompass a multidisciplinary approach in analyzing cyberspace. It will bring together the disciplines of sociology, engineering, computer science, physics and international security studies.
First, the paper will begin with a theoretical analysis of network theory to display the vast interconnectivity and vulnerabilities in cyberspace. The following section will cover complexity and chaos theory and demonstrate how ‘ripple effects’ caused by cyber-attacks travel across sectors such as the economy and represent significant threats. The subsequent chapters of the paper will shift from theory to practice and display the limitless vulnerabilities emerging in cyberspace. The segments will cover the methodology of attacks such as social engineering and a case study on the hacker group LulzSec to display the immense threats posed by non-state actors.
Lastly, the paper will conclude with a summary and recommendations to limit future cyber-attacks in a world where we are increasingly connected, and vulnerabilities and threats will only intensify.
Vulnerability and Network Theory
Over the past two decades, network technology has radically transformed everyday life across the globe. This is evident in the extent to which networks now pass unnoticed in our lives. Computers have undergone a huge shift from mainframes to widespread desktops; we now have to compute via the Internet, Web and wireless networks. Various forms of networks and systems are interconnected to form a global cyberspace. The sheer penetration of technology and networks in modern society means that everything and everyone are to a degree interconnected. It is at this point that we fail to recognize the true interconnectedness of the modern world and begin to overlook vulnerability.
According to Sociologist Bob Jessop (1990), society consists of systems that are “radically autonomous” and therefore not governable by a subordinate center such as a state. From a personal standpoint, cyberspace is precisely a “system” in modern society which Jessop describes above. It is a fluid and continuously developing network or system and a phenomenon which is far from governable. When it comes to government efforts to develop effective laws and policy to reduce cyber-attacks, it appears inherently difficult. The complexity and threats arising from this diverse phenomenon are not quantifiable. Likewise, from a different theoretical perspective, network theory can largely help us in understanding vulnerabilities in cyberspace. Although there is no global definition of network theory, a network is defined by scholars as a “complex pattern of relationships among multiple interdependent elements”. Scholars of network theory recognize that because networks are complex and centreless much like the network of cyberspace, uncertainties are unavoidable in creating, planning or managing networks. Nonlinearity is the underlying source of uncertainty; it makes network behaviors unpredictable. It is not possible to formulate a complete understanding of a complex network.
If we take network theory and directly apply it to cyberspace, it appears largely applicable from a theoretical and practical perspective. Cyberspace is heavily networked and interdependent for its operational functions (ripple effects of cyber-attacks are discussed in the following chapter). It is essentially a global network of networks where new and diverse technologies are being developed on a daily basis, and so are vulnerabilities in those technologies. There is no linear threat or vulnerability in a cyber network or a system. O’Toole’s (1997) suggestion that the management of networks is complex and unpredictable shows great similarity to the network of cyberspace. The same principle can be applied to the management of risk, vulnerability and threats in the virtual world.
Left – A more accurate representation of cyberspace, interconnectivity, and threats.
Right – A more common perception of cyberspace and threats.
Chaos, Complexity, and the Ripple Effect
A cyber-attack does not have to be directed at government or military infrastructure to inflict harm on a nation. This can be best described using chaos or complexity theory or a dynamic which often occurs from these theories known as the ripple effect. Chaos theory, from where complexity theory has its origins examines nonlinear relations, with changes which cannot be fitted into a simple linear paradigm. The ripple effect is a situation when ‘ripples’ spread across sectors or areas from the point of origin outwards incrementally. We have already established in the previous chapter that most systems and networks do not operate in a simple linear manner (neither do threats or vulnerabilities). In this instance when we apply the ripple effect to a cyber-attack it effectively transitions to a multi-sector cyber-attack. This enables the possibility of harming a multitude of critical sectors such as the economy and government by attacking a sector which appears less critical. Thus, leaving the UK or any nation for that matter open to vulnerability through poor security policies of another sector or nation.
A recent study by Vikas and Chopra (2015) examining the concept of interconnectivity and interdependence of critical infrastructure in the U.S. economy has shown similar findings. Their findings show that “contemporary society is crucially dependent on the stability of complex infrastructure networks for almost every social and economic function”. In the U.S., the Department of Homeland Security has listed sixteen critical infrastructure sectors whose vulnerability from hazards such as cyber-attacks would have a crippling effect on the nation’s economy, health, security, and safety. The crucial importance of critical infrastructure is a result of growing interconnectivity. Similarly, “individual industry sectors in an economic system are inherently interconnected, and disruption in any single sector can trigger a ripple throughout the economy affecting sectors that directly and indirectly interact with the triggering sector”. Such dependency on cyberspace has given rise to nonlinear vulnerabilities to all critical infrastructure in modern society.
Moreover, at the RSA Conference 2016 discussion about ripple or domino effects dominated many of the large cybersecurity firms’ conferences. An industry-leading cyber security firm RedSeal stated that cyber-attacks can have ripple effects that reach far beyond one organization. The Chief Operations Director stated, “everything is interconnected, you have to worry not just about your network, but everything connected with it.” RedSeals’ research has demonstrated that global ripple effects can occur through cyberspace, sometimes triggered by minor cyber-attacks in another nation.
This demonstrates the importance of understanding cyberspace from a multidisciplinary or a non-standard theoretical perspective. Network theory, Chaos theory and the dynamic of the ripple effect contribute vastly to the field of cyber security. Theoretically, it is important to understand the magnitude of interconnectivity throughout the world. By understanding that a cyber-attack in one sector which may not be deemed as important can have an enormous impact on a nation’s security is critical to developing better responses to cyber-attacks. It also aids practitioners with formulating effective policy and ensuring the safety and sustainability of the virtual and physical world.
Moving from Theory to Practice
With an abundance of new and already existing technologies interconnected through cyberspace, we are now seeing more and more vulnerability from a wide range of attackers. Cyberspace is a massive global domain and a global commons which is continuously growing by wired and wireless interconnectivity. We are in the process of witnessing advances such as the Internet of Things (IoT) and everything from vehicles, houses, to washing machines being networked through cyberspace. When we take into consideration such advances, it leaves us to question how and what traditional approaches to cyber security teach us. Traditionally cyber security threats are grouped in the categories of cyberwar, cybercrime, cyber espionage, and hacktivism. Although this may also not be truly representative or informative as there are groups such as LulzSec discussed later in this paper that appear to be exposing vulnerabilities in the virtual world for other purposes such as retaliation or fame.
The first concept of cybercrime refers to criminals or criminal groups exploiting individuals, small business, and large corporations to acquire sensitive information to commit fraud, copyright infringements, cyberstalking and so forth. Cyber espionage is defined as an act undertaken in a clandestine manner that utilizes cyber capabilities to gather information. A prominent example of cyber espionage was the vast and highly successful malware – GhostNet believed to emanate from China. This malware affected over 103 countries and a large number of high-value targets which included embassies, ministries of foreign affairs, media outlets and non-governmental organizations. The term cyberwar is highly contested among scholars. The Belgium government defines cyber war “as an escalated cyber conflict between states in which cyber operations are carried out by state actors against cyber infrastructure as part of a military campaign”. The last concept – hacktivism is often associated with the hacktivist group Anonymous. The term is defined as hacking into a website or computer to communicate a politically or socially motivated message.
Although there may be some merit to grouping these concepts, they ultimately leave us with many questions and little answers. First, all of these phenomena are a crime. Second if you are committing an act of cyber espionage it can be conducted as an extension of cyber war, or a form of reconnaissance for a hacktivist group looking to penetrate an organization. If a nation is conducting cyber war, it is most likely engaging in cyber espionage to support its cyber or hybrid warfare. There are various other concepts tied in with the virtual world which need to be taken into consideration. Surveillance, the media, and manipulation of public opinion to name a few are tools utilized by governments as well as non-state actors. These acts also encompass traits of cyberwarfare, cyberespionage, and hacktivism. The lines are often heavily blurred when analyzing traditional approaches to cyber security. Cyberspace is chaotic, and one event often leads to another making it impossible to establish clearly what kind of cyber-attack or act a certain actor is engaged in.
Methodology of Attacks and Ease of Access
Attack methodology is the process used to attack a target and potential tools/techniques that can be used to execute the attack. The steps are reconnaissance, attack, and exploit. Cyberspace has opened enormous doors to attack methodology. Not only are governments and corporations developing substantial offensive security programs but the general public from where a significant amount of attacks originate have access to essentially unlimited amounts of information and software. There are free and open source operating systems such as Kali Linux pre-configured with over 600 programs to penetrate or ‘hack’ systems and networks, develop viruses, botnets, worms, rootkits and so forth. We have access to ‘hacker’ forums, websites with free ‘Hacking’ tutorials, open source intelligence or reconnaissance tutorials, open source software such as The Social-Engineer Toolkit (SET) to name a few. The cyber ‘threatscape’ about methodology is vast and evolving at a rapid pace. Instead of providing an overview of attack methodologies such as viruses or worms the following segment of this chapter will provide an analysis of social engineering as a powerful, potent and less technological methodology of attack.
A social engineering toolset in Kali Linux.
Social engineering has come to light as a genuine threat in cyberspace and is an extremely potent means to extract information from computer systems. In day to day, life communication has become increasingly distributed over a wide range of online communication channels. In addition to email and instant messengers, services such as Facebook and Twitter have become part of our daily routines in private and commercial communication. Businesses often expect their employees to be mobile and flexible in the workforce, resulting in a trend of employees using various devices for both works and in the personal sphere. This growth in flexibility and subsequent reduction in the face to face communication means that more and more data is distributed through online channels. Within the last two decades, security vulnerabilities in the virtual world have often been misused to leak sensitive data. Such vulnerabilities are patched over time. However, even the most sophisticated cyber security protocols are useless when users are manipulated by skilled social engineers.
According to research conducted by Weippl et al. (2015), the most powerful method an attacker can utilize to access information is through social engineering. They define the term as manipulating a person into essentially handing over information. It is a superior methodology in comparison to other hacking variants as “it can breach even the most secure systems as the users themselves are the most vulnerable part of the system”. A multitude of multinational corporations has fallen victim to skilled social engineers. Google’s internal systems were breached in 2009, and Facebook was compromised in 2013 to name a few. These cyber-attacks on “high-value” targets are often referred to as Advanced Persistent Threats (APT). APT’s are dependent on a common attack method such as social engineering through spear-phishing.
Social engineering attacks often encompass “physical, social and technical aspects which occur at different times of the attack”. The physical aspect occurs when the attacker attempts to gather information on the victim through techniques such as dumpster diving. The attacker can search through an organizations garbage to find valuable sources of information such as employee data, memos, manuals, and even sensitive information. A social approach to social engineering often involves the art of persuasion or manipulation of the victim. Examples of social attacks include persuasion of authority and curiosity often used in spear-phishing and bait attacks where the attacker attempts to develop relationships with their future victim. According to Andress & Winterfield’s (2015) research, the most widely used type of social attack is performed via telephone. Technical approaches to social engineering are often carried out via the internet. According to research by Granger (2001) the internet is heavily relied upon by social engineers as it is used to collate passwords, as their victims use the basic sample passwords for their accounts. Social engineers are often heavily reliant on search engines to collect person data. There is an abundance of tools that can gather and aggregate information from a wide range of sources. A popular choice for attackers is Maltego Teeth.
Social engineering represents a persistent and harmful cyber-attack method. The physical, technical and social attack vectors are often combined to form what is known as socio-technical engineering. The ease of access to personal data over the internet as well as the ease of access to the methodology to execute attacks such as SET makes social engineering one of the most substantial cyber threats in the modern era. This skillset of exploiting human error has proven effective to penetrate even the largest and most secure online corporations and posed a threat to everyone from the individual to the security of a nation.
Non-state Actors and Hacking for the ‘Lulz.’
The virtual world hosts a wide range of actors actively seeking to exploit vulnerabilities. These range from states or government agencies such as the National Security Agency (NSA), state-sponsored actors such as the Syrian Electronic Army (SEA), non-state actors such as Anonymous, criminal organizations, skilled individual hackers and script kiddies (less skilled hacker). Similarly, these attackers have varied ambitions. The SEA may be penetrating the systems of media outlets to express a political message. A criminal organization may be social engineering for identity theft, and a script kiddy may be using a toolset such as Kali Linux to cause distress to a local business out of a sense of adventure or to seek fame. The actors, ideologies and motives are vast and varied. As mentioned in earlier chapters, the threats are nonlinear with every actor seeking to exploit a certain vulnerability for a different purpose. The following segment of this chapter will provide an analysis of the hacker group LulzSec to demonstrate the sheer scope of threats to the UK in the virtual world.
In the Spring of 2011, the hacker group – LulzSec which stands for (‘laughing out loud’ or lol) and ‘security’ a splinter group of highly skilled hackers from Anonymous tore apart the virtual world in a way never seen before. The group announced that they were compromising systems and stealing information for the ‘lulz.’ The group was described as pure “internet motherfuckery” by hacktivist scholar Gabriel Coleman. They wreaked havoc for eight weeks taunting law enforcement, hacking into multi-billion dollar transnationals, federal agencies, white-hat Internet security firms, and individuals and openly posting their stolen information on Twitter for the world to see.
Their methodology of attack was often quick and simple. After breaching the intended systems, they tweeted and loaded files on Pastebin, which often contained HTTP addresses of Pirate Bay links where the public could access hacked files of information. The first large-scale cyber-attack was announced on May 10. They hacked the systems of Fox.com and posted files including sales databases, emails, and administrator passwords. On the 15th of May, the group hacked the UK’s ATM internal data structure and released it on Twitter. On the 23rd of May LulzSec announced hacks against Sony and on the 2nd of June they released their second Sony hack named Sownage (Sony+ownage). This attack displayed the vast skillset the group possessed. The group was able to breach SonyPictures.com and expose millions of users’ passwords, email addresses, home addresses, telephone numbers, and birthdays. It was at this point when the White House announced that an act of cyber sabotage on the U.S. would be considered an act of war. The group went on to deface the White House website, compromise the systems of FBI-affiliated contractors, take down the websites of the Serious and Organized Crime Agency and the Central Intelligence Agency and even hack into PBS and write a cover story about Tupac Shakur residing in New Zealand. All of these hacks had a ‘lulzy’ type of internet humor attached to them. The group often posted their logo of a typical internet troll meme on a boat, images of cats or an edited version of the love boat song.
Although a short analysis of LulzSec, it displays what a group of six highly skilled young men aged 16-25 are capable of. They had self-taught themselves advanced hacking methods, reverse engineering, developed their cryptography methods and had become experts in social engineering. Even though the team was eventually caught after a lengthy international response by law enforcement, their capture was not because they had leaks in their security but due to a team member informing on them to the FBI. The LulzSec case demonstrates what a group of hackers is capable of in the name of fame or the ‘lulz’. There was no financial or criminal gain from any of the hacks; there was rarely any political message, and they certainly were not waging war on a nation. When groups such as LulzSec develop momentum, their cyber-attacks can without a doubt cause ripple effects across large sectors across nations. They are a clear nonlinear and non-standard threat in the chaos of cyberspace and most definitely pose a threat to a nation, in this case, the UK.
Recommendations for Limiting Threats and Vulnerability
As there is no simple solution to countering every threat or securing every vulnerability, this chapter will present two central recommendations to limit threats and vulnerabilities. The first gravitates toward the workplace and employees. Collective approaches to tackling cybersecurity need to be utilized. This approach needs to spread across governmental, corporate and academic sectors. Furthermore, stronger education needs to be provided to employees to ensure they are aware of vulnerabilities. This should encompass computer security basics as well as how to protect themselves from manipulation or social engineering attacks. Regarding basic computer, security employers can utilize a wide range of material and campaigns to educate their employees. Campaigns such as US-CERT and Microsoft’s Internet Safety for Enterprise and Organizations are good examples. Employees who work in spheres where a security clearance is required or with sensitive data should be provided with an extra layer of training in areas such as social engineering awareness. The SANS Institute has conducted thorough research into social engineering countermeasures. They have published and put together in-depth defense training manuals and courses such as – A Multi-Level Defense Against Social Engineering which should be provided to certain employees.
A second recommendation and perhaps a more important one is based on the principle of educating the upcoming generations. Since cyberspace and cybersecurity are relatively new phenomena, we are still in the stages where if we set good standards and effective ways for youth to ‘express’ their technological skills there is a strong possibility cyberspace will be a safer environment. This can be achieved in several different ways. First, IT teachers at schools and colleges need to be aware of students with a strong interest in computing. Not in an intrusive manner, but in a positive direction. There are plenty of great initiatives such as the coding at schools which was recently introduced to develop a positive skillset for school students. Other examples include Tech Future Girls and Plural Sight. There is also an abundance of competitions such as the Capture the Flag (CtF) competitions where students who display interest in finding vulnerabilities in systems can safely do so. Similar recommendations apply to university level students. Strategic assessments by the National Crime Agency’s cyber unit – National Cyber Crime Unit (NCCU) have displayed similar results, their Prevent strategy has gone as far as using former LulzSec members in campaigning for the positive use of cyber skills. Similarly, a great initiative by the National Crime Agency and partners is the UK Cyber Security Challenge, which has shown to be effective in locating young talented cyber security professionals as well as providing a great platform for people to develop their skills safely. Ultimately, ‘diversion’ strategies in combination with school teachers, university professors, and the IT sector need to work together effectively to educate future generations to create a safer cyberspace.
This paper has provided an assessment of the vast number of cyber security threats and vulnerabilities to which the UK is exposed to. It utilized a multidisciplinary approach by borrowing from the social sciences, physics, engineering, computer science, and international security studies. This method of research has demonstrated that cyberspace is an extremely complex phenomenon and needs to be analyzed from a variety of perspectives. The paper has demonstrated that the traditional framework of international security studies does not successfully portray the full spectrum of threats or vulnerabilities in cyberspace. The theoretical work of sociologists such as Jessop and O’Toole has shown the sheer interconnectivity of the virtual world where the nonlinear nature of networks makes it near impossible to manage vulnerability. The work of physicists Vikas and Chopra has provided an insight into the nature of ripple effects and the potential vulnerability of cyber-attacks across sectors such the economy and governments. The practical segments of this paper have shown that non-state actors such as the hacker group LulzSec pose an immense threat to the security of the virtual world. Moreover, it has displayed that not only is cyberspace open to attack from a technological perspective but human error and manipulation such as social engineering also pose a prominent threat. Even the most technologically secure system can be exploited by a skilled social engineer as seen in the case studies in this paper. Ultimately, this paper has displayed that nations, governmental and non-governmental organizations, multinational corporations, individuals – everyone and everything are to some degree vulnerable to a cyber-attack.
Andress, J. & Winterfield, S. (2013) The Basics of Cyber Warfare: Understanding the Fundamentals of Cyber Warfare in Theory and Practice. USA: Elsevier Inc.
Byrne, D. (2002) Complexity Theory and the Social Sciences. USA: Routledge.
Coleman, G. (2014) Hacker, Hoaxer, Whistleblower, Spy: The Many Faces of Anonymous. USA: Verso Books.
CTF Time (2015) CTF? WTF? Available at: https://ctftime.org/ctf-wtf/ (Accessed: 11/03/2016).
Department of Homeland Security (2016) Critical Infrastructure Sectors. Available at: https://www.dhs.gov/critical-infrastructure-sectors (Accessed: 11/03/2016).
Goktug, M. & Wachhaus, A. (2009) ‘Network and Complexity Theories: A Comparison and Prospects for a Synthesis’, Administrative Theory & Praxis (M.E. Sharpe), 31(1) p44-58.
Granger, S. (2001) Social Engineering Fundamentals, Part 1. Hacker Tactics. Available at: http://www.symantec.com/connect/articles/social-engineering-fundamentals-part-i-hacker-tactics (Accessed: 10/03/2016).
Greenwald, G. (2014) No Place to Hiding: Edward Snowden, the NSA and the Surveillance State. England: Penguin Group.
Information Warfare Monitor (2009) Tracking Ghostnet: Investigating a Cyber Espionage Network. Online: Information Warfare Monitor.
Jessop, B. (1990) State theory. Cambridge: Polity Press.
Joost, S. & Jalal, A. (2014) ‘Modeling the Ripple Effects of IT-Based Incidents on Interdependent Economic Systems’, Systems Engineering, 18(2) pp.146-161.
Kali Tools (2016) Maltego Teeth. Available at: http://tools.kali.org/information-gathering/maltego-teeth (Accessed: 10/03/2016).
Korolov, M. (2015) Cyberattacks have ripple effects on partners, industries. Available at: http://www.csoonline.com/article/2906501/cyber-attacks-espionage/cyberattacks-have-ripple-effects-on-partners-industries.html (Accessed: 03/03/2016).
Lee, I. & Lee, K. (2015) ‘The Internet of Things: Applications, Investments, and Challenges for enterprises’, Business Horizons, 58(4) pp.431-440.
McAfee (2015) Critical Infrastructure Readiness Report: Holding the Line Against Cyberthreats. (online). UK: The Aspen Institute & McAfee Intel Security.
Microsoft (2016) Internet Safety for Enterprise and Organizations. Available at: http://www.microsoft.com/en-us/download/details.aspx?id=10484#overview (Accessed: 11/03/2016).
Muti, A., Tajer, K., & Macfaul, L. (2014) Cyberspace: An Assessment of Current Threats, Real Consequences and Potential Solutions. (online). Oxford: Oxford Research Group.
National Crime Agency (2016) Cyber Crime. Available at: http://www.nationalcrimeagency.gov.uk/crime-threats/cyber-crime (Accessed: 10/03/2016).
National Crime Agency (2016) Cyber Crime: Preventing young people from getting involved. Available at: http://www.nationalcrimeagency.gov.uk/crime-threats/cyber-crime/cyber-crime-preventing-young-people-from-getting-involved (Accessed: 04/03/2016).
NATO Cooperative Cyber Defence Centre of Excellence (2016) Cyber Definitions. Available at: https://ccdcoe.org/cyber-definitions.html (Accessed: 10/03/2016).
Olson, P. (2013) We are Anonymous. Inside the Hacker World of LulzSec, Anonymous and the Global Cyber Insurgency. London: William Heinemann.
O’Toole, L.J. (1997) ‘Treating networks seriously: Practical and research based agendas in public administration’, Public Administration Review, 57, 45-52.
Patel, R.S. (2013) Kali Linux Social Engineering. Online: Packt Publishing Ltd.
Pendergrass, S. (2012) ‘Hackers gone wild: The 2011 spring break of LulzSec’, Issues in Information Systems, 13(1) pp.133-143.
Plural Sight (2016) Kids devour technology. Now they can create it. Available at: https://www.pluralsight.com/kids-courses (Accessed: 11/03/2016).
Pomerleau, M. (2015) State vs non-state hackers: Different tactics, equal threat? Available at: https://defensesystems.com/articles/2015/08/17/cyber-state-vs-non-state-haclers-tactics.aspx (Accessed: 21/02/2016).
Porche, I. R. (2016) Emerging Cyber Threats and Implications. Online: RAND Corporation
Richards, J. (2014) Cyber-War: The Anatomy of the Global Security Threat. UK: Palgrave Macmillan.
Rid, T (2012) ‘Cyber War Will Not Take Place’, Journal of Strategic Studies, 35(1) pp. 5-32.
Roberts, J. & Armitage, J. (2003) Living with Cyberspace. UK: The Athlone Press.
SANS Institute (2016) A Multi-Level Defense Against Social Engineering. Available at: http://www.sans.org/reading-room/whitepapers/engineering/multi-level-defense-social-engineering-920 (Accessed: 11/03/2016).
Shi, X. & Zhuge, H. (2011) ‘Cyber Physical Socio Ecology’, Concurrency and Computation: Practice & Experience, 23(9) pp.972-984.
Singh, A. (2013) Instant Kali Linux. Online: Packt Publishing Ltd.
Such, J.M., Vidler, J., Seabrook, T. & Rashid, A. (2015) ‘Cyber Security Controls Effectiveness: A Qualitative Assessment of Cyber Essentials’, Security Lancaster, Lancaster University 2015.
Tech Future Girls (2016) Tech future girls. Available at: http://www.techfuturegirls.com/ (Accessed: 04/03/2016).
The Guardian (2014) Coding at school: a parent’s guide to England’s new computing curriculum. Available at: http://www.theguardian.com/technology/2014/sep/04/coding-school-computing-children-programming (Accessed: 02/03/2016).
The Wall Street Journal (2011) Cyber Combat: Act of War. Available at: http://www.wsj.com/articles/SB10001424052702304563104576355623135782718 (Accessed: 11/03/2016).
Trusted Security (2016) The Social-Engineer Toolkit. Available at: https://www.trustedsec.com/social-engineer-toolkit/ (Accessed: 11/03/2016).
UK Cyber Security Challenge (2016) Cyber Security Challenge. Available at: https://cybersecuritychallenge.org.uk/ (Accessed: 05/03/2016).
US-CERT (2016) Protect your Workforce Campaign. Available at: https://www.us-cert.gov/security-publications/protect-your-workforce-campaign#work (Accessed: 11/03/2016).
Vikas, K. & Chopra, S. (2015) ‘Interconnectedness and interdependencies of critical infrastructures in the US economy: Implications for resilience’, Physica A: Statistical Mechanics and its Applications, 436 pp.865-877.
Weippl, E., Huber, M., Hobel, H. & Krombholz, K. (2015) ‘Advanced social engineering attacks’, Journal of Information Security and Applications, 22 pp.113-122.
Yamich, J. & Smith, A. (2012) The Impact Hacktivist organizations have on our perceptions of hackers and information security. Online: Purdue University.
Zenir, J. & Shimonski, R. (2015) Cyber Reconnaissance, Surveillance and Defense. USA: Elsevier Inc.
Zetter, K. (2010) Google Hack Attack was Ultra Sophisticated, New Details Show. Available at: http://www.wired.com/2010/01/operation-aurora/ (Accessed: 10/03/2016).