IT Risk Management, Planning and Mitigation TCOM 5253/MSIS 4373
IT Risk Management, Planning and Mitigation TCOM 5253 / MSIS 4253 Common Threats and Vulnerabilities
description
Transcript of IT Risk Management, Planning and Mitigation TCOM 5253 / MSIS 4253 Common Threats and Vulnerabilities
(c) 2007 Charles G. Gray 1
IT Risk Management, Planning and Mitigation
TCOM 5253 / MSIS 4253
Common Threats and Vulnerabilities
20 September 2007
Charles G. Gray
(c) 2007 Charles G. Gray 2
What is a “Threat”• Any indication, circumstance or event with
the potential to cause the loss of or damage to an asset
• Intention and capability of a threat-source to undertake actions that would be detrimental to:– The United States– An organization/enterprise
(c) 2007 Charles G. Gray 3
Leading Threats for 2007• Move to non-computer platforms (PDAs)• Really Big Botnets (60,000 to 100,000)• Privilege escalation attacks• Client-side exploits• Script-based worms for Web 2.0• Self-updating malware• Disabling malware tools• Alternative evil certificates• Spyware protected by rootkits
(c) 2007 Charles G. Gray 4
Threat Categories• Insiders
– Intentional– Accidental
• Outsiders– Criminal– Benign– Commercial
• Foreign intelligence service
• Terrorist• Foreign military• Environmental• Political• “Force Majeure”• Internal processes• Wireless access• Other
(c) 2007 Charles G. Gray 5
Insiders - Intentional• Disgruntled or terminated employees
– Plant malicious computer code– “Leaks” to the media– Retribution for perceived “wrong”– Attempted (or actual) extortion– “Whistleblower”
• Espionage/theft of sensitive material• Unauthorized disclosure of proprietary
material, documents, trade secrets, etc.• Property/software theft
(c) 2007 Charles G. Gray 6
Insiders - Accidental• Careless loss of classified material• Incorrect data input• Poor programming skills• Accidental/improper keystrokes• Unauthorized disclosure of proprietary
material, documents, trade secrets, etc.– “Social engineering”– Lack of training
• Build-up of cookies, spyware, adware, etc.
(c) 2007 Charles G. Gray 7
Outsider - Criminal• Violent acts against people (“go postal”)
– Could be a former “insider”• Theft/destruction of property• Theft of personal information
– Account numbers, PINs– Medical information– Identity theft
• Phishing/Pharming(??)• “Social engineering”
(c) 2007 Charles G. Gray 8
Outsider – Benign (?)• “Recreational” hackers• “Script kiddies”• “Packet monkeys”• Experimenters (DOS attack??)• Ethical hackers (an oxymoron??)
– Penetration testing• “Researchers”
– “Mydoom” worm, November 2004
(c) 2007 Charles G. Gray 9
Outsider - Commercial• Spam (unsolicited commercial e-mail)• Spyware/adware/malware• Cookies (Persistent state client object)• “Dumpster divers”• Keyloggers• Spoofing/masquerading/mimicking• Modifying GPS code to give wrong
location information• Reverse engineering
(c) 2007 Charles G. Gray 10
Foreign Intelligence Service• Spies (HUMINT – human intelligence)• Surveillance
– SIGINT – signal intelligence• Embassies on hilltops for a reason
– Satellite-based monitoring (Echelon)– ELINT – electronic intelligence (TEMPEST)
• Industrial espionage• Trade secrets/patents• “Dumpster diving”• Cryptanalysis
(c) 2007 Charles G. Gray 11
TEMPEST• Sophisticated electromagnetic monitoring• CRT images can be monitored
– Keyboard signals • Modem LED signals detectable• Telephone signals are easy
– Video conferencing signals obtainable• Red/Black criteria
– Optical fiber is preferred for connections• Most government departments are involved• Over a billion dollars a year in the US
(c) 2007 Charles G. Gray 12
Terrorists• Assassination• Bombing• Kidnapping• Extortion• Biological/chemical attack• Infiltration• Exploitation• Revenge
(c) 2007 Charles G. Gray 13
Foreign Military• Nuclear attack• Biological attack• Low-intensity conflict• Conventional war• Asymmetrical conflict• Cyberwar
– Chinese doctrine - “anything goes”
(c) 2007 Charles G. Gray 14
Environmental• Fire / tsunami / flood (burst pipe, or other)• Earthquake• Pollution / chemicals / liquid leakage• Storms/lightning
– Hurricane, cyclone, typhoon– Tornado
• Long-term power outage• Global warming (water levels)
(c) 2007 Charles G. Gray 15
Political• Coups/violence/upheaval• Unfriendly environment
– Taxation changes / nationalization• Accounting rules changes• Privacy concerns• Activists – motivated for a cause
– Anti-globalization (WTO demonstrations)– PETA– Environmentalists (e.g., Greenpeace)– Personal views of “right” and “wrong”
(c) 2007 Charles G. Gray 16
“Force Majeure”• Literally, “greater force” or “Acts of God”• Webster – “An unexpected or if expected,
an uncontrollable event”• Examples
– War/invasion– Embargo – Epidemic/pandemic– Breakdown of machinery– Employee strike
(c) 2007 Charles G. Gray 17
Internal Processes• Inadequate change control process• Lack of audit trails (Sarbanes-Oxley Act)• Allow indiscriminate system access
– “Need to know” vs. “access to everything”• Operations support system failure
– Back office systems• Weak access security
– Password control– Physical access (“tailgating”)
(c) 2007 Charles G. Gray 18
Wireless Access• Among European companies:
– 95% provide mobile access via PCs (79%), PDA/Bluetooth (73%) and smartphones (37%)
– 47% have not done a detailed security review• 11% have done NO security review
– 26% provide open access to corporate networks, including ERP/CRM systems
• Typically by incremental adoption– No corporate standards, hard to manage– Hundreds/thousands of uncontrolled devices
(c) 2007 Charles G. Gray 19
Other Threats• Train derailment – damaging fiber optics• Sunspots (“solar max”)• High altitude electromagnetic pulse• Satellite failure• Undersea cable failure• Proprietary network failure (e.g.,FSO)• Cell phone blockage (e.g., Ford Motor Co.)
(c) 2007 Charles G. Gray 20
Vulnerability• A flaw or weakness in system security
procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or violation of the system’s security policy
(c) 2007 Charles G. Gray 21
End-point Vulnerabilities• USB flash drives – Over a billion sold• iPods – over 100M sold
– Recent survey – 61% didn’t even know what “podslurping” is
• PDAs – smart phones – wireless e-mail
• Notebook PCs• SD cards (portable devices)• SarBox doesn’t discriminate (Flash drive
or mainframe – data must be protected)
(c) 2007 Charles G. Gray 22
Terminated Employee• Employee ID (multiple) not removed from
all systems– May allow dial-in to the network– Access to proprietary information– May lead to extortion/blackmail
• ID/key card may allow unauthorized physical access
(c) 2007 Charles G. Gray 23
System Firewall(s)• Allow inbound telnet• “Guest” ID is enabled on one or more
servers allowing browsing system files to:– Hackers, criminals– Disgruntled employees– Terrorists
• Telephone calling cards• DISA (phone system)
(c) 2007 Charles G. Gray 24
Vendor-identified Flaws• Known system vulnerabilities
– Patches not installed– Microsoft Windows seriously flawed
• Risk of unauthorized access by:– Hackers, criminals– Disgruntled employees– Terrorists
• Patches and “service packs” should be installed immediately upon availability
(c) 2007 Charles G. Gray 25
Physical Environment• Water instead of Halon for fire suppression
– Halon banned in the EU 31 Dec 2003– Replacements are
• 3M Novec 1230• DuPont FE-25
• Protective covers must be available and placed properly– Protection from water (rain) incursion,
plumbing leaks– Construction may change drainage plan
(c) 2007 Charles G. Gray 26
Threat Sources• Hacker, cracker • Computer criminal• Terrorist• Industrial espionage
– The “cleaning” team• Insiders (Employees or consultants)
– Poorly trained programmers/developers– Disgruntled– Malicious/dishonest– Negligent
(c) 2007 Charles G. Gray 27
Threat Sources/Motivation• Hacker/cracker
– Challenge, ego, rebellion• Computer criminal
– Destruction of information, monetary gain– Data alteration, illegal information disclosure
• Terrorist– Blackmail, destruction, exploitation, revenge
• Industrial espionage– Competitive advantage, economic espionage
(c) 2007 Charles G. Gray 28
Threat Sources/Motivation• Insiders (Employees/consultants)
– Curiosity– Ego– Intelligence – Monetary gain
• Insider trading– Revenge– Unintentional (Poor workmanship)
• Data entry error• Programming error
(c) 2007 Charles G. Gray 29
Likelihood Determination• The probability that a potential vulnerability
may be exercised within the context of the associated threat environment involves– Threat-source motivation and capability– Nature of the vulnerability– Existence and effectiveness of current
controls
(c) 2007 Charles G. Gray 30
Likelihood Definitions
• High– Threat-source is highly motivated and
sufficiently capable, and controls to prevent the vulnerability from being exercised are ineffective or non-existent
(c) 2007 Charles G. Gray 31
Likelihood Definitions
• Medium– The threat-source is motivated and capable,
but controls are in place that may impede successful exercise of the vulnerability
(c) 2007 Charles G. Gray 32
Likelihood Definitions• Low
– The threat-source lacks motivation or capability, or controls are in place to prevent, or at least significantly impede, the vulnerability from being exercised
(c) 2007 Charles G. Gray 33
Summary• Definition of “threat”• Reviewed threat categories• Defined “Vulnerability”• Looked at various “threat-sources” and
their motivations• Brief discussion of likelihood determination
and definitions