330 likes | 531 Views
IT Risk Management, Planning and Mitigation TCOM 5253 / MSIS 4253 Common Threats and Vulnerabilities. 20 September 2007 Charles G. Gray. What is a “Threat”. Any indication, circumstance or event with the potential to cause the loss of or damage to an asset
E N D
IT Risk Management, Planning and MitigationTCOM 5253 / MSIS 4253Common Threats and Vulnerabilities 20 September 2007 Charles G. Gray (c) 2007 Charles G. Gray
What is a “Threat” • Any indication, circumstance or event with the potential to cause the loss of or damage to an asset • Intention and capability of a threat-source to undertake actions that would be detrimental to: • The United States • An organization/enterprise (c) 2007 Charles G. Gray
Leading Threats for 2007 • Move to non-computer platforms (PDAs) • Really Big Botnets (60,000 to 100,000) • Privilege escalation attacks • Client-side exploits • Script-based worms for Web 2.0 • Self-updating malware • Disabling malware tools • Alternative evil certificates • Spyware protected by rootkits (c) 2007 Charles G. Gray
Insiders Intentional Accidental Outsiders Criminal Benign Commercial Foreign intelligence service Terrorist Foreign military Environmental Political “Force Majeure” Internal processes Wireless access Other Threat Categories (c) 2007 Charles G. Gray
Insiders - Intentional • Disgruntled or terminated employees • Plant malicious computer code • “Leaks” to the media • Retribution for perceived “wrong” • Attempted (or actual) extortion • “Whistleblower” • Espionage/theft of sensitive material • Unauthorized disclosure of proprietary material, documents, trade secrets, etc. • Property/software theft (c) 2007 Charles G. Gray
Insiders - Accidental • Careless loss of classified material • Incorrect data input • Poor programming skills • Accidental/improper keystrokes • Unauthorized disclosure of proprietary material, documents, trade secrets, etc. • “Social engineering” • Lack of training • Build-up of cookies, spyware, adware, etc. (c) 2007 Charles G. Gray
Outsider - Criminal • Violent acts against people (“go postal”) • Could be a former “insider” • Theft/destruction of property • Theft of personal information • Account numbers, PINs • Medical information • Identity theft • Phishing/Pharming(??) • “Social engineering” (c) 2007 Charles G. Gray
Outsider – Benign (?) • “Recreational” hackers • “Script kiddies” • “Packet monkeys” • Experimenters (DOS attack??) • Ethical hackers (an oxymoron??) • Penetration testing • “Researchers” • “Mydoom” worm, November 2004 (c) 2007 Charles G. Gray
Outsider - Commercial • Spam (unsolicited commercial e-mail) • Spyware/adware/malware • Cookies (Persistent state client object) • “Dumpster divers” • Keyloggers • Spoofing/masquerading/mimicking • Modifying GPS code to give wrong location information • Reverse engineering (c) 2007 Charles G. Gray
Foreign Intelligence Service • Spies (HUMINT – human intelligence) • Surveillance • SIGINT – signal intelligence • Embassies on hilltops for a reason • Satellite-based monitoring (Echelon) • ELINT – electronic intelligence (TEMPEST) • Industrial espionage • Trade secrets/patents • “Dumpster diving” • Cryptanalysis (c) 2007 Charles G. Gray
TEMPEST • Sophisticated electromagnetic monitoring • CRT images can be monitored • Keyboard signals • Modem LED signals detectable • Telephone signals are easy • Video conferencing signals obtainable • Red/Black criteria • Optical fiber is preferred for connections • Most government departments are involved • Over a billion dollars a year in the US (c) 2007 Charles G. Gray
Terrorists • Assassination • Bombing • Kidnapping • Extortion • Biological/chemical attack • Infiltration • Exploitation • Revenge (c) 2007 Charles G. Gray
Foreign Military • Nuclear attack • Biological attack • Low-intensity conflict • Conventional war • Asymmetrical conflict • Cyberwar • Chinese doctrine - “anything goes” (c) 2007 Charles G. Gray
Environmental • Fire / tsunami / flood (burst pipe, or other) • Earthquake • Pollution / chemicals / liquid leakage • Storms/lightning • Hurricane, cyclone, typhoon • Tornado • Long-term power outage • Global warming (water levels) (c) 2007 Charles G. Gray
Political • Coups/violence/upheaval • Unfriendly environment • Taxation changes / nationalization • Accounting rules changes • Privacy concerns • Activists – motivated for a cause • Anti-globalization (WTO demonstrations) • PETA • Environmentalists (e.g., Greenpeace) • Personal views of “right” and “wrong” (c) 2007 Charles G. Gray
“Force Majeure” • Literally, “greater force” or “Acts of God” • Webster – “An unexpected or if expected, an uncontrollable event” • Examples • War/invasion • Embargo • Epidemic/pandemic • Breakdown of machinery • Employee strike (c) 2007 Charles G. Gray
Internal Processes • Inadequate change control process • Lack of audit trails (Sarbanes-Oxley Act) • Allow indiscriminate system access • “Need to know” vs. “access to everything” • Operations support system failure • Back office systems • Weak access security • Password control • Physical access (“tailgating”) (c) 2007 Charles G. Gray
Wireless Access • Among European companies: • 95% provide mobile access via PCs (79%), PDA/Bluetooth (73%) and smartphones (37%) • 47% have not done a detailed security review • 11% have done NO security review • 26% provide open access to corporate networks, including ERP/CRM systems • Typically by incremental adoption • No corporate standards, hard to manage • Hundreds/thousands of uncontrolled devices (c) 2007 Charles G. Gray
Other Threats • Train derailment – damaging fiber optics • Sunspots (“solar max”) • High altitude electromagnetic pulse • Satellite failure • Undersea cable failure • Proprietary network failure (e.g.,FSO) • Cell phone blockage (e.g., Ford Motor Co.) (c) 2007 Charles G. Gray
Vulnerability • A flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or violation of the system’s security policy (c) 2007 Charles G. Gray
End-point Vulnerabilities • USB flash drives – Over a billion sold • iPods – over 100M sold • Recent survey – 61% didn’t even know what “podslurping” is • PDAs – smart phones • wireless e-mail • Notebook PCs • SD cards (portable devices) • SarBox doesn’t discriminate (Flash drive or mainframe – data must be protected) (c) 2007 Charles G. Gray
Terminated Employee • Employee ID (multiple) not removed from all systems • May allow dial-in to the network • Access to proprietary information • May lead to extortion/blackmail • ID/key card may allow unauthorized physical access (c) 2007 Charles G. Gray
System Firewall(s) • Allow inbound telnet • “Guest” ID is enabled on one or more servers allowing browsing system files to: • Hackers, criminals • Disgruntled employees • Terrorists • Telephone calling cards • DISA (phone system) (c) 2007 Charles G. Gray
Vendor-identified Flaws • Known system vulnerabilities • Patches not installed • Microsoft Windows seriously flawed • Risk of unauthorized access by: • Hackers, criminals • Disgruntled employees • Terrorists • Patches and “service packs” should be installed immediately upon availability (c) 2007 Charles G. Gray
Physical Environment • Water instead of Halon for fire suppression • Halon banned in the EU 31 Dec 2003 • Replacements are • 3M Novec 1230 • DuPont FE-25 • Protective covers must be available and placed properly • Protection from water (rain) incursion, plumbing leaks • Construction may change drainage plan (c) 2007 Charles G. Gray
Threat Sources • Hacker, cracker • Computer criminal • Terrorist • Industrial espionage • The “cleaning” team • Insiders (Employees or consultants) • Poorly trained programmers/developers • Disgruntled • Malicious/dishonest • Negligent (c) 2007 Charles G. Gray
Threat Sources/Motivation • Hacker/cracker • Challenge, ego, rebellion • Computer criminal • Destruction of information, monetary gain • Data alteration, illegal information disclosure • Terrorist • Blackmail, destruction, exploitation, revenge • Industrial espionage • Competitive advantage, economic espionage (c) 2007 Charles G. Gray
Threat Sources/Motivation • Insiders (Employees/consultants) • Curiosity • Ego • Intelligence • Monetary gain • Insider trading • Revenge • Unintentional (Poor workmanship) • Data entry error • Programming error (c) 2007 Charles G. Gray
Likelihood Determination • The probability that a potential vulnerability may be exercised within the context of the associated threat environment involves • Threat-source motivation and capability • Nature of the vulnerability • Existence and effectiveness of current controls (c) 2007 Charles G. Gray
Likelihood Definitions • High • Threat-source is highly motivated and sufficiently capable, and controls to prevent the vulnerability from being exercised are ineffective or non-existent (c) 2007 Charles G. Gray
Likelihood Definitions • Medium • The threat-source is motivated and capable, but controls are in place that may impede successful exercise of the vulnerability (c) 2007 Charles G. Gray
Likelihood Definitions • Low • The threat-source lacks motivation or capability, or controls are in place to prevent, or at least significantly impede, the vulnerability from being exercised (c) 2007 Charles G. Gray
Summary • Definition of “threat” • Reviewed threat categories • Defined “Vulnerability” • Looked at various “threat-sources” and their motivations • Brief discussion of likelihood determination and definitions (c) 2007 Charles G. Gray