IT Risk Management, Planning and Mitigation TCOM 5253 / MSIS 4253 Common Threats and Vulnerabilities

(c) 2007 Charles G. Gray 1

IT Risk Management, Planning and Mitigation

TCOM 5253 / MSIS 4253

Common Threats and Vulnerabilities

20 September 2007

Charles G. Gray


What is a “Threat”• Any indication, circumstance or event with

the potential to cause the loss of or damage to an asset

• Intention and capability of a threat-source to undertake actions that would be detrimental to:– The United States– An organization/enterprise


Leading Threats for 2007• Move to non-computer platforms (PDAs)• Really Big Botnets (60,000 to 100,000)• Privilege escalation attacks• Client-side exploits• Script-based worms for Web 2.0• Self-updating malware• Disabling malware tools• Alternative evil certificates• Spyware protected by rootkits


Threat Categories• Insiders

– Intentional– Accidental

• Outsiders– Criminal– Benign– Commercial

• Foreign intelligence service

• Terrorist• Foreign military• Environmental• Political• “Force Majeure”• Internal processes• Wireless access• Other


Insiders - Intentional• Disgruntled or terminated employees

– Plant malicious computer code– “Leaks” to the media– Retribution for perceived “wrong”– Attempted (or actual) extortion– “Whistleblower”

• Espionage/theft of sensitive material• Unauthorized disclosure of proprietary

material, documents, trade secrets, etc.• Property/software theft


Insiders - Accidental• Careless loss of classified material• Incorrect data input• Poor programming skills• Accidental/improper keystrokes• Unauthorized disclosure of proprietary

material, documents, trade secrets, etc.– “Social engineering”– Lack of training

• Build-up of cookies, spyware, adware, etc.


Outsider - Criminal• Violent acts against people (“go postal”)

– Could be a former “insider”• Theft/destruction of property• Theft of personal information

– Account numbers, PINs– Medical information– Identity theft

• Phishing/Pharming(??)• “Social engineering”


Outsider – Benign (?)• “Recreational” hackers• “Script kiddies”• “Packet monkeys”• Experimenters (DOS attack??)• Ethical hackers (an oxymoron??)

– Penetration testing• “Researchers”

– “Mydoom” worm, November 2004


Outsider - Commercial• Spam (unsolicited commercial e-mail)• Spyware/adware/malware• Cookies (Persistent state client object)• “Dumpster divers”• Keyloggers• Spoofing/masquerading/mimicking• Modifying GPS code to give wrong

location information• Reverse engineering


Foreign Intelligence Service• Spies (HUMINT – human intelligence)• Surveillance

– SIGINT – signal intelligence• Embassies on hilltops for a reason

– Satellite-based monitoring (Echelon)– ELINT – electronic intelligence (TEMPEST)

• Industrial espionage• Trade secrets/patents• “Dumpster diving”• Cryptanalysis


TEMPEST• Sophisticated electromagnetic monitoring• CRT images can be monitored

– Keyboard signals • Modem LED signals detectable• Telephone signals are easy

– Video conferencing signals obtainable• Red/Black criteria

– Optical fiber is preferred for connections• Most government departments are involved• Over a billion dollars a year in the US


Terrorists• Assassination• Bombing• Kidnapping• Extortion• Biological/chemical attack• Infiltration• Exploitation• Revenge


Foreign Military• Nuclear attack• Biological attack• Low-intensity conflict• Conventional war• Asymmetrical conflict• Cyberwar

– Chinese doctrine - “anything goes”


Environmental• Fire / tsunami / flood (burst pipe, or other)• Earthquake• Pollution / chemicals / liquid leakage• Storms/lightning

– Hurricane, cyclone, typhoon– Tornado

• Long-term power outage• Global warming (water levels)


Political• Coups/violence/upheaval• Unfriendly environment

– Taxation changes / nationalization• Accounting rules changes• Privacy concerns• Activists – motivated for a cause

– Anti-globalization (WTO demonstrations)– PETA– Environmentalists (e.g., Greenpeace)– Personal views of “right” and “wrong”


“Force Majeure”• Literally, “greater force” or “Acts of God”• Webster – “An unexpected or if expected,

an uncontrollable event”• Examples

– War/invasion– Embargo – Epidemic/pandemic– Breakdown of machinery– Employee strike


Internal Processes• Inadequate change control process• Lack of audit trails (Sarbanes-Oxley Act)• Allow indiscriminate system access

– “Need to know” vs. “access to everything”• Operations support system failure

– Back office systems• Weak access security

– Password control– Physical access (“tailgating”)


Wireless Access• Among European companies:

– 95% provide mobile access via PCs (79%), PDA/Bluetooth (73%) and smartphones (37%)

– 47% have not done a detailed security review• 11% have done NO security review

– 26% provide open access to corporate networks, including ERP/CRM systems

• Typically by incremental adoption– No corporate standards, hard to manage– Hundreds/thousands of uncontrolled devices


Other Threats• Train derailment – damaging fiber optics• Sunspots (“solar max”)• High altitude electromagnetic pulse• Satellite failure• Undersea cable failure• Proprietary network failure (e.g.,FSO)• Cell phone blockage (e.g., Ford Motor Co.)


Vulnerability• A flaw or weakness in system security

procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or violation of the system’s security policy


End-point Vulnerabilities• USB flash drives – Over a billion sold• iPods – over 100M sold

– Recent survey – 61% didn’t even know what “podslurping” is

• PDAs – smart phones – wireless e-mail

• Notebook PCs• SD cards (portable devices)• SarBox doesn’t discriminate (Flash drive

or mainframe – data must be protected)


Terminated Employee• Employee ID (multiple) not removed from

all systems– May allow dial-in to the network– Access to proprietary information– May lead to extortion/blackmail

• ID/key card may allow unauthorized physical access


System Firewall(s)• Allow inbound telnet• “Guest” ID is enabled on one or more

servers allowing browsing system files to:– Hackers, criminals– Disgruntled employees– Terrorists

• Telephone calling cards• DISA (phone system)


Vendor-identified Flaws• Known system vulnerabilities

– Patches not installed– Microsoft Windows seriously flawed

• Risk of unauthorized access by:– Hackers, criminals– Disgruntled employees– Terrorists

• Patches and “service packs” should be installed immediately upon availability


Physical Environment• Water instead of Halon for fire suppression

– Halon banned in the EU 31 Dec 2003– Replacements are

• 3M Novec 1230• DuPont FE-25

• Protective covers must be available and placed properly– Protection from water (rain) incursion,

plumbing leaks– Construction may change drainage plan


Threat Sources• Hacker, cracker • Computer criminal• Terrorist• Industrial espionage

– The “cleaning” team• Insiders (Employees or consultants)

– Poorly trained programmers/developers– Disgruntled– Malicious/dishonest– Negligent


Threat Sources/Motivation• Hacker/cracker

– Challenge, ego, rebellion• Computer criminal

– Destruction of information, monetary gain– Data alteration, illegal information disclosure

• Terrorist– Blackmail, destruction, exploitation, revenge

• Industrial espionage– Competitive advantage, economic espionage


Threat Sources/Motivation• Insiders (Employees/consultants)

– Curiosity– Ego– Intelligence – Monetary gain

• Insider trading– Revenge– Unintentional (Poor workmanship)

• Data entry error• Programming error


Likelihood Determination• The probability that a potential vulnerability

may be exercised within the context of the associated threat environment involves– Threat-source motivation and capability– Nature of the vulnerability– Existence and effectiveness of current

controls


Likelihood Definitions

• High– Threat-source is highly motivated and

sufficiently capable, and controls to prevent the vulnerability from being exercised are ineffective or non-existent


Likelihood Definitions

• Medium– The threat-source is motivated and capable,

but controls are in place that may impede successful exercise of the vulnerability


Likelihood Definitions• Low

– The threat-source lacks motivation or capability, or controls are in place to prevent, or at least significantly impede, the vulnerability from being exercised


Summary• Definition of “threat”• Reviewed threat categories• Defined “Vulnerability”• Looked at various “threat-sources” and

their motivations• Brief discussion of likelihood determination

and definitions

IT Risk Management, Planning and Mitigation TCOM 5253 / MSIS 4253 Common Threats and Vulnerabilities

Documents

Transcript of IT Risk Management, Planning and Mitigation TCOM 5253 / MSIS 4253 Common Threats and Vulnerabilities