1 / 33

IT Risk Management, Planning and Mitigation TCOM 5253 / MSIS 4253 Common Threats and Vulnerabilities

IT Risk Management, Planning and Mitigation TCOM 5253 / MSIS 4253 Common Threats and Vulnerabilities. 20 September 2007 Charles G. Gray. What is a “Threat”. Any indication, circumstance or event with the potential to cause the loss of or damage to an asset

cael
Download Presentation

IT Risk Management, Planning and Mitigation TCOM 5253 / MSIS 4253 Common Threats and Vulnerabilities

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. IT Risk Management, Planning and MitigationTCOM 5253 / MSIS 4253Common Threats and Vulnerabilities 20 September 2007 Charles G. Gray (c) 2007 Charles G. Gray

  2. What is a “Threat” • Any indication, circumstance or event with the potential to cause the loss of or damage to an asset • Intention and capability of a threat-source to undertake actions that would be detrimental to: • The United States • An organization/enterprise (c) 2007 Charles G. Gray

  3. Leading Threats for 2007 • Move to non-computer platforms (PDAs) • Really Big Botnets (60,000 to 100,000) • Privilege escalation attacks • Client-side exploits • Script-based worms for Web 2.0 • Self-updating malware • Disabling malware tools • Alternative evil certificates • Spyware protected by rootkits (c) 2007 Charles G. Gray

  4. Insiders Intentional Accidental Outsiders Criminal Benign Commercial Foreign intelligence service Terrorist Foreign military Environmental Political “Force Majeure” Internal processes Wireless access Other Threat Categories (c) 2007 Charles G. Gray

  5. Insiders - Intentional • Disgruntled or terminated employees • Plant malicious computer code • “Leaks” to the media • Retribution for perceived “wrong” • Attempted (or actual) extortion • “Whistleblower” • Espionage/theft of sensitive material • Unauthorized disclosure of proprietary material, documents, trade secrets, etc. • Property/software theft (c) 2007 Charles G. Gray

  6. Insiders - Accidental • Careless loss of classified material • Incorrect data input • Poor programming skills • Accidental/improper keystrokes • Unauthorized disclosure of proprietary material, documents, trade secrets, etc. • “Social engineering” • Lack of training • Build-up of cookies, spyware, adware, etc. (c) 2007 Charles G. Gray

  7. Outsider - Criminal • Violent acts against people (“go postal”) • Could be a former “insider” • Theft/destruction of property • Theft of personal information • Account numbers, PINs • Medical information • Identity theft • Phishing/Pharming(??) • “Social engineering” (c) 2007 Charles G. Gray

  8. Outsider – Benign (?) • “Recreational” hackers • “Script kiddies” • “Packet monkeys” • Experimenters (DOS attack??) • Ethical hackers (an oxymoron??) • Penetration testing • “Researchers” • “Mydoom” worm, November 2004 (c) 2007 Charles G. Gray

  9. Outsider - Commercial • Spam (unsolicited commercial e-mail) • Spyware/adware/malware • Cookies (Persistent state client object) • “Dumpster divers” • Keyloggers • Spoofing/masquerading/mimicking • Modifying GPS code to give wrong location information • Reverse engineering (c) 2007 Charles G. Gray

  10. Foreign Intelligence Service • Spies (HUMINT – human intelligence) • Surveillance • SIGINT – signal intelligence • Embassies on hilltops for a reason • Satellite-based monitoring (Echelon) • ELINT – electronic intelligence (TEMPEST) • Industrial espionage • Trade secrets/patents • “Dumpster diving” • Cryptanalysis (c) 2007 Charles G. Gray

  11. TEMPEST • Sophisticated electromagnetic monitoring • CRT images can be monitored • Keyboard signals • Modem LED signals detectable • Telephone signals are easy • Video conferencing signals obtainable • Red/Black criteria • Optical fiber is preferred for connections • Most government departments are involved • Over a billion dollars a year in the US (c) 2007 Charles G. Gray

  12. Terrorists • Assassination • Bombing • Kidnapping • Extortion • Biological/chemical attack • Infiltration • Exploitation • Revenge (c) 2007 Charles G. Gray

  13. Foreign Military • Nuclear attack • Biological attack • Low-intensity conflict • Conventional war • Asymmetrical conflict • Cyberwar • Chinese doctrine - “anything goes” (c) 2007 Charles G. Gray

  14. Environmental • Fire / tsunami / flood (burst pipe, or other) • Earthquake • Pollution / chemicals / liquid leakage • Storms/lightning • Hurricane, cyclone, typhoon • Tornado • Long-term power outage • Global warming (water levels) (c) 2007 Charles G. Gray

  15. Political • Coups/violence/upheaval • Unfriendly environment • Taxation changes / nationalization • Accounting rules changes • Privacy concerns • Activists – motivated for a cause • Anti-globalization (WTO demonstrations) • PETA • Environmentalists (e.g., Greenpeace) • Personal views of “right” and “wrong” (c) 2007 Charles G. Gray

  16. “Force Majeure” • Literally, “greater force” or “Acts of God” • Webster – “An unexpected or if expected, an uncontrollable event” • Examples • War/invasion • Embargo • Epidemic/pandemic • Breakdown of machinery • Employee strike (c) 2007 Charles G. Gray

  17. Internal Processes • Inadequate change control process • Lack of audit trails (Sarbanes-Oxley Act) • Allow indiscriminate system access • “Need to know” vs. “access to everything” • Operations support system failure • Back office systems • Weak access security • Password control • Physical access (“tailgating”) (c) 2007 Charles G. Gray

  18. Wireless Access • Among European companies: • 95% provide mobile access via PCs (79%), PDA/Bluetooth (73%) and smartphones (37%) • 47% have not done a detailed security review • 11% have done NO security review • 26% provide open access to corporate networks, including ERP/CRM systems • Typically by incremental adoption • No corporate standards, hard to manage • Hundreds/thousands of uncontrolled devices (c) 2007 Charles G. Gray

  19. Other Threats • Train derailment – damaging fiber optics • Sunspots (“solar max”) • High altitude electromagnetic pulse • Satellite failure • Undersea cable failure • Proprietary network failure (e.g.,FSO) • Cell phone blockage (e.g., Ford Motor Co.) (c) 2007 Charles G. Gray

  20. Vulnerability • A flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or violation of the system’s security policy (c) 2007 Charles G. Gray

  21. End-point Vulnerabilities • USB flash drives – Over a billion sold • iPods – over 100M sold • Recent survey – 61% didn’t even know what “podslurping” is • PDAs – smart phones • wireless e-mail • Notebook PCs • SD cards (portable devices) • SarBox doesn’t discriminate (Flash drive or mainframe – data must be protected) (c) 2007 Charles G. Gray

  22. Terminated Employee • Employee ID (multiple) not removed from all systems • May allow dial-in to the network • Access to proprietary information • May lead to extortion/blackmail • ID/key card may allow unauthorized physical access (c) 2007 Charles G. Gray

  23. System Firewall(s) • Allow inbound telnet • “Guest” ID is enabled on one or more servers allowing browsing system files to: • Hackers, criminals • Disgruntled employees • Terrorists • Telephone calling cards • DISA (phone system) (c) 2007 Charles G. Gray

  24. Vendor-identified Flaws • Known system vulnerabilities • Patches not installed • Microsoft Windows seriously flawed • Risk of unauthorized access by: • Hackers, criminals • Disgruntled employees • Terrorists • Patches and “service packs” should be installed immediately upon availability (c) 2007 Charles G. Gray

  25. Physical Environment • Water instead of Halon for fire suppression • Halon banned in the EU 31 Dec 2003 • Replacements are • 3M Novec 1230 • DuPont FE-25 • Protective covers must be available and placed properly • Protection from water (rain) incursion, plumbing leaks • Construction may change drainage plan (c) 2007 Charles G. Gray

  26. Threat Sources • Hacker, cracker • Computer criminal • Terrorist • Industrial espionage • The “cleaning” team • Insiders (Employees or consultants) • Poorly trained programmers/developers • Disgruntled • Malicious/dishonest • Negligent (c) 2007 Charles G. Gray

  27. Threat Sources/Motivation • Hacker/cracker • Challenge, ego, rebellion • Computer criminal • Destruction of information, monetary gain • Data alteration, illegal information disclosure • Terrorist • Blackmail, destruction, exploitation, revenge • Industrial espionage • Competitive advantage, economic espionage (c) 2007 Charles G. Gray

  28. Threat Sources/Motivation • Insiders (Employees/consultants) • Curiosity • Ego • Intelligence • Monetary gain • Insider trading • Revenge • Unintentional (Poor workmanship) • Data entry error • Programming error (c) 2007 Charles G. Gray

  29. Likelihood Determination • The probability that a potential vulnerability may be exercised within the context of the associated threat environment involves • Threat-source motivation and capability • Nature of the vulnerability • Existence and effectiveness of current controls (c) 2007 Charles G. Gray

  30. Likelihood Definitions • High • Threat-source is highly motivated and sufficiently capable, and controls to prevent the vulnerability from being exercised are ineffective or non-existent (c) 2007 Charles G. Gray

  31. Likelihood Definitions • Medium • The threat-source is motivated and capable, but controls are in place that may impede successful exercise of the vulnerability (c) 2007 Charles G. Gray

  32. Likelihood Definitions • Low • The threat-source lacks motivation or capability, or controls are in place to prevent, or at least significantly impede, the vulnerability from being exercised (c) 2007 Charles G. Gray

  33. Summary • Definition of “threat” • Reviewed threat categories • Defined “Vulnerability” • Looked at various “threat-sources” and their motivations • Brief discussion of likelihood determination and definitions (c) 2007 Charles G. Gray

More Related