it risk management, planning and mitigation tcom 5253 / msis 4253 common threats and vulnerabilities

(c) 2007 Charles G. Gray 1

IT Risk Management, Planning and Mitigation

TCOM 5253 / MSIS 4253

Common Threats and Vulnerabilities

20 September 2007

Charles G. Gray

(c) 2007 Charles G. Gray 2

What is a “Threat”• Any indication, circumstance or event with

the potential to cause the loss of or damage to an asset

• Intention and capability of a threat-source to undertake actions that would be detrimental to:– The United States– An organization/enterprise

(c) 2007 Charles G. Gray 3

Leading Threats for 2007• Move to non-computer platforms (PDAs)• Really Big Botnets (60,000 to 100,000)• Privilege escalation attacks• Client-side exploits• Script-based worms for Web 2.0• Self-updating malware• Disabling malware tools• Alternative evil certificates• Spyware protected by rootkits

(c) 2007 Charles G. Gray 4

Threat Categories• Insiders

– Intentional– Accidental

• Outsiders– Criminal– Benign– Commercial

• Foreign intelligence service

• Terrorist• Foreign military• Environmental• Political• “Force Majeure”• Internal processes• Wireless access• Other

(c) 2007 Charles G. Gray 5

Insiders - Intentional• Disgruntled or terminated employees

– Plant malicious computer code– “Leaks” to the media– Retribution for perceived “wrong”– Attempted (or actual) extortion– “Whistleblower”

• Espionage/theft of sensitive material• Unauthorized disclosure of proprietary

material, documents, trade secrets, etc.• Property/software theft

(c) 2007 Charles G. Gray 6

Insiders - Accidental• Careless loss of classified material• Incorrect data input• Poor programming skills• Accidental/improper keystrokes• Unauthorized disclosure of proprietary

material, documents, trade secrets, etc.– “Social engineering”– Lack of training

• Build-up of cookies, spyware, adware, etc.

(c) 2007 Charles G. Gray 7

Outsider - Criminal• Violent acts against people (“go postal”)

– Could be a former “insider”• Theft/destruction of property• Theft of personal information

– Account numbers, PINs– Medical information– Identity theft

• Phishing/Pharming(??)• “Social engineering”

(c) 2007 Charles G. Gray 8

Outsider – Benign (?)• “Recreational” hackers• “Script kiddies”• “Packet monkeys”• Experimenters (DOS attack??)• Ethical hackers (an oxymoron??)

– Penetration testing• “Researchers”

– “Mydoom” worm, November 2004

(c) 2007 Charles G. Gray 9

Outsider - Commercial• Spam (unsolicited commercial e-mail)• Spyware/adware/malware• Cookies (Persistent state client object)• “Dumpster divers”• Keyloggers• Spoofing/masquerading/mimicking• Modifying GPS code to give wrong

location information• Reverse engineering

(c) 2007 Charles G. Gray 10

Foreign Intelligence Service• Spies (HUMINT – human intelligence)• Surveillance

– SIGINT – signal intelligence• Embassies on hilltops for a reason

– Satellite-based monitoring (Echelon)– ELINT – electronic intelligence (TEMPEST)

• Industrial espionage• Trade secrets/patents• “Dumpster diving”• Cryptanalysis

(c) 2007 Charles G. Gray 11

TEMPEST• Sophisticated electromagnetic monitoring• CRT images can be monitored

– Keyboard signals • Modem LED signals detectable• Telephone signals are easy

– Video conferencing signals obtainable• Red/Black criteria

– Optical fiber is preferred for connections• Most government departments are involved• Over a billion dollars a year in the US

(c) 2007 Charles G. Gray 12

Terrorists• Assassination• Bombing• Kidnapping• Extortion• Biological/chemical attack• Infiltration• Exploitation• Revenge

(c) 2007 Charles G. Gray 13

Foreign Military• Nuclear attack• Biological attack• Low-intensity conflict• Conventional war• Asymmetrical conflict• Cyberwar

– Chinese doctrine - “anything goes”

(c) 2007 Charles G. Gray 14

Environmental• Fire / tsunami / flood (burst pipe, or other)• Earthquake• Pollution / chemicals / liquid leakage• Storms/lightning

– Hurricane, cyclone, typhoon– Tornado

• Long-term power outage• Global warming (water levels)

(c) 2007 Charles G. Gray 15

Political• Coups/violence/upheaval• Unfriendly environment

– Taxation changes / nationalization• Accounting rules changes• Privacy concerns• Activists – motivated for a cause

– Anti-globalization (WTO demonstrations)– PETA– Environmentalists (e.g., Greenpeace)– Personal views of “right” and “wrong”

(c) 2007 Charles G. Gray 16

“Force Majeure”• Literally, “greater force” or “Acts of God”• Webster – “An unexpected or if expected,

an uncontrollable event”• Examples

– War/invasion– Embargo – Epidemic/pandemic– Breakdown of machinery– Employee strike

(c) 2007 Charles G. Gray 17

Internal Processes• Inadequate change control process• Lack of audit trails (Sarbanes-Oxley Act)• Allow indiscriminate system access

– “Need to know” vs. “access to everything”• Operations support system failure

– Back office systems• Weak access security

– Password control– Physical access (“tailgating”)

(c) 2007 Charles G. Gray 18

Wireless Access• Among European companies:

– 95% provide mobile access via PCs (79%), PDA/Bluetooth (73%) and smartphones (37%)

– 47% have not done a detailed security review• 11% have done NO security review

– 26% provide open access to corporate networks, including ERP/CRM systems

• Typically by incremental adoption– No corporate standards, hard to manage– Hundreds/thousands of uncontrolled devices

(c) 2007 Charles G. Gray 19

Other Threats• Train derailment – damaging fiber optics• Sunspots (“solar max”)• High altitude electromagnetic pulse• Satellite failure• Undersea cable failure• Proprietary network failure (e.g.,FSO)• Cell phone blockage (e.g., Ford Motor Co.)

(c) 2007 Charles G. Gray 20

Vulnerability• A flaw or weakness in system security

procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or violation of the system’s security policy

(c) 2007 Charles G. Gray 21

End-point Vulnerabilities• USB flash drives – Over a billion sold• iPods – over 100M sold

– Recent survey – 61% didn’t even know what “podslurping” is

• PDAs – smart phones – wireless e-mail

• Notebook PCs• SD cards (portable devices)• SarBox doesn’t discriminate (Flash drive

or mainframe – data must be protected)

(c) 2007 Charles G. Gray 22

Terminated Employee• Employee ID (multiple) not removed from

all systems– May allow dial-in to the network– Access to proprietary information– May lead to extortion/blackmail

• ID/key card may allow unauthorized physical access

(c) 2007 Charles G. Gray 23

System Firewall(s)• Allow inbound telnet• “Guest” ID is enabled on one or more

servers allowing browsing system files to:– Hackers, criminals– Disgruntled employees– Terrorists

• Telephone calling cards• DISA (phone system)

(c) 2007 Charles G. Gray 24

Vendor-identified Flaws• Known system vulnerabilities

– Patches not installed– Microsoft Windows seriously flawed

• Risk of unauthorized access by:– Hackers, criminals– Disgruntled employees– Terrorists

• Patches and “service packs” should be installed immediately upon availability

(c) 2007 Charles G. Gray 25

Physical Environment• Water instead of Halon for fire suppression

– Halon banned in the EU 31 Dec 2003– Replacements are

• 3M Novec 1230• DuPont FE-25

• Protective covers must be available and placed properly– Protection from water (rain) incursion,

plumbing leaks– Construction may change drainage plan

(c) 2007 Charles G. Gray 26

Threat Sources• Hacker, cracker • Computer criminal• Terrorist• Industrial espionage

– The “cleaning” team• Insiders (Employees or consultants)

– Poorly trained programmers/developers– Disgruntled– Malicious/dishonest– Negligent

(c) 2007 Charles G. Gray 27

Threat Sources/Motivation• Hacker/cracker

– Challenge, ego, rebellion• Computer criminal

– Destruction of information, monetary gain– Data alteration, illegal information disclosure

• Terrorist– Blackmail, destruction, exploitation, revenge

• Industrial espionage– Competitive advantage, economic espionage

(c) 2007 Charles G. Gray 28

Threat Sources/Motivation• Insiders (Employees/consultants)

– Curiosity– Ego– Intelligence – Monetary gain

• Insider trading– Revenge– Unintentional (Poor workmanship)

• Data entry error• Programming error

(c) 2007 Charles G. Gray 29

Likelihood Determination• The probability that a potential vulnerability

may be exercised within the context of the associated threat environment involves– Threat-source motivation and capability– Nature of the vulnerability– Existence and effectiveness of current

controls

(c) 2007 Charles G. Gray 30

Likelihood Definitions

• High– Threat-source is highly motivated and

sufficiently capable, and controls to prevent the vulnerability from being exercised are ineffective or non-existent

(c) 2007 Charles G. Gray 31

Likelihood Definitions

• Medium– The threat-source is motivated and capable,

but controls are in place that may impede successful exercise of the vulnerability

(c) 2007 Charles G. Gray 32

Likelihood Definitions• Low

– The threat-source lacks motivation or capability, or controls are in place to prevent, or at least significantly impede, the vulnerability from being exercised

(c) 2007 Charles G. Gray 33

Summary• Definition of “threat”• Reviewed threat categories• Defined “Vulnerability”• Looked at various “threat-sources” and

their motivations• Brief discussion of likelihood determination

and definitions