Download - IT Risk Management, Planning and Mitigation TCOM 5253 / MSIS 4253 Common Threats and Vulnerabilities
![Page 1: IT Risk Management, Planning and Mitigation TCOM 5253 / MSIS 4253 Common Threats and Vulnerabilities](https://reader035.vdocument.in/reader035/viewer/2022062411/5681680d550346895ddd9514/html5/thumbnails/1.jpg)
(c) 2007 Charles G. Gray 1
IT Risk Management, Planning and Mitigation
TCOM 5253 / MSIS 4253
Common Threats and Vulnerabilities
20 September 2007
Charles G. Gray
![Page 2: IT Risk Management, Planning and Mitigation TCOM 5253 / MSIS 4253 Common Threats and Vulnerabilities](https://reader035.vdocument.in/reader035/viewer/2022062411/5681680d550346895ddd9514/html5/thumbnails/2.jpg)
(c) 2007 Charles G. Gray 2
What is a “Threat”• Any indication, circumstance or event with
the potential to cause the loss of or damage to an asset
• Intention and capability of a threat-source to undertake actions that would be detrimental to:– The United States– An organization/enterprise
![Page 3: IT Risk Management, Planning and Mitigation TCOM 5253 / MSIS 4253 Common Threats and Vulnerabilities](https://reader035.vdocument.in/reader035/viewer/2022062411/5681680d550346895ddd9514/html5/thumbnails/3.jpg)
(c) 2007 Charles G. Gray 3
Leading Threats for 2007• Move to non-computer platforms (PDAs)• Really Big Botnets (60,000 to 100,000)• Privilege escalation attacks• Client-side exploits• Script-based worms for Web 2.0• Self-updating malware• Disabling malware tools• Alternative evil certificates• Spyware protected by rootkits
![Page 4: IT Risk Management, Planning and Mitigation TCOM 5253 / MSIS 4253 Common Threats and Vulnerabilities](https://reader035.vdocument.in/reader035/viewer/2022062411/5681680d550346895ddd9514/html5/thumbnails/4.jpg)
(c) 2007 Charles G. Gray 4
Threat Categories• Insiders
– Intentional– Accidental
• Outsiders– Criminal– Benign– Commercial
• Foreign intelligence service
• Terrorist• Foreign military• Environmental• Political• “Force Majeure”• Internal processes• Wireless access• Other
![Page 5: IT Risk Management, Planning and Mitigation TCOM 5253 / MSIS 4253 Common Threats and Vulnerabilities](https://reader035.vdocument.in/reader035/viewer/2022062411/5681680d550346895ddd9514/html5/thumbnails/5.jpg)
(c) 2007 Charles G. Gray 5
Insiders - Intentional• Disgruntled or terminated employees
– Plant malicious computer code– “Leaks” to the media– Retribution for perceived “wrong”– Attempted (or actual) extortion– “Whistleblower”
• Espionage/theft of sensitive material• Unauthorized disclosure of proprietary
material, documents, trade secrets, etc.• Property/software theft
![Page 6: IT Risk Management, Planning and Mitigation TCOM 5253 / MSIS 4253 Common Threats and Vulnerabilities](https://reader035.vdocument.in/reader035/viewer/2022062411/5681680d550346895ddd9514/html5/thumbnails/6.jpg)
(c) 2007 Charles G. Gray 6
Insiders - Accidental• Careless loss of classified material• Incorrect data input• Poor programming skills• Accidental/improper keystrokes• Unauthorized disclosure of proprietary
material, documents, trade secrets, etc.– “Social engineering”– Lack of training
• Build-up of cookies, spyware, adware, etc.
![Page 7: IT Risk Management, Planning and Mitigation TCOM 5253 / MSIS 4253 Common Threats and Vulnerabilities](https://reader035.vdocument.in/reader035/viewer/2022062411/5681680d550346895ddd9514/html5/thumbnails/7.jpg)
(c) 2007 Charles G. Gray 7
Outsider - Criminal• Violent acts against people (“go postal”)
– Could be a former “insider”• Theft/destruction of property• Theft of personal information
– Account numbers, PINs– Medical information– Identity theft
• Phishing/Pharming(??)• “Social engineering”
![Page 8: IT Risk Management, Planning and Mitigation TCOM 5253 / MSIS 4253 Common Threats and Vulnerabilities](https://reader035.vdocument.in/reader035/viewer/2022062411/5681680d550346895ddd9514/html5/thumbnails/8.jpg)
(c) 2007 Charles G. Gray 8
Outsider – Benign (?)• “Recreational” hackers• “Script kiddies”• “Packet monkeys”• Experimenters (DOS attack??)• Ethical hackers (an oxymoron??)
– Penetration testing• “Researchers”
– “Mydoom” worm, November 2004
![Page 9: IT Risk Management, Planning and Mitigation TCOM 5253 / MSIS 4253 Common Threats and Vulnerabilities](https://reader035.vdocument.in/reader035/viewer/2022062411/5681680d550346895ddd9514/html5/thumbnails/9.jpg)
(c) 2007 Charles G. Gray 9
Outsider - Commercial• Spam (unsolicited commercial e-mail)• Spyware/adware/malware• Cookies (Persistent state client object)• “Dumpster divers”• Keyloggers• Spoofing/masquerading/mimicking• Modifying GPS code to give wrong
location information• Reverse engineering
![Page 10: IT Risk Management, Planning and Mitigation TCOM 5253 / MSIS 4253 Common Threats and Vulnerabilities](https://reader035.vdocument.in/reader035/viewer/2022062411/5681680d550346895ddd9514/html5/thumbnails/10.jpg)
(c) 2007 Charles G. Gray 10
Foreign Intelligence Service• Spies (HUMINT – human intelligence)• Surveillance
– SIGINT – signal intelligence• Embassies on hilltops for a reason
– Satellite-based monitoring (Echelon)– ELINT – electronic intelligence (TEMPEST)
• Industrial espionage• Trade secrets/patents• “Dumpster diving”• Cryptanalysis
![Page 11: IT Risk Management, Planning and Mitigation TCOM 5253 / MSIS 4253 Common Threats and Vulnerabilities](https://reader035.vdocument.in/reader035/viewer/2022062411/5681680d550346895ddd9514/html5/thumbnails/11.jpg)
(c) 2007 Charles G. Gray 11
TEMPEST• Sophisticated electromagnetic monitoring• CRT images can be monitored
– Keyboard signals • Modem LED signals detectable• Telephone signals are easy
– Video conferencing signals obtainable• Red/Black criteria
– Optical fiber is preferred for connections• Most government departments are involved• Over a billion dollars a year in the US
![Page 12: IT Risk Management, Planning and Mitigation TCOM 5253 / MSIS 4253 Common Threats and Vulnerabilities](https://reader035.vdocument.in/reader035/viewer/2022062411/5681680d550346895ddd9514/html5/thumbnails/12.jpg)
(c) 2007 Charles G. Gray 12
Terrorists• Assassination• Bombing• Kidnapping• Extortion• Biological/chemical attack• Infiltration• Exploitation• Revenge
![Page 13: IT Risk Management, Planning and Mitigation TCOM 5253 / MSIS 4253 Common Threats and Vulnerabilities](https://reader035.vdocument.in/reader035/viewer/2022062411/5681680d550346895ddd9514/html5/thumbnails/13.jpg)
(c) 2007 Charles G. Gray 13
Foreign Military• Nuclear attack• Biological attack• Low-intensity conflict• Conventional war• Asymmetrical conflict• Cyberwar
– Chinese doctrine - “anything goes”
![Page 14: IT Risk Management, Planning and Mitigation TCOM 5253 / MSIS 4253 Common Threats and Vulnerabilities](https://reader035.vdocument.in/reader035/viewer/2022062411/5681680d550346895ddd9514/html5/thumbnails/14.jpg)
(c) 2007 Charles G. Gray 14
Environmental• Fire / tsunami / flood (burst pipe, or other)• Earthquake• Pollution / chemicals / liquid leakage• Storms/lightning
– Hurricane, cyclone, typhoon– Tornado
• Long-term power outage• Global warming (water levels)
![Page 15: IT Risk Management, Planning and Mitigation TCOM 5253 / MSIS 4253 Common Threats and Vulnerabilities](https://reader035.vdocument.in/reader035/viewer/2022062411/5681680d550346895ddd9514/html5/thumbnails/15.jpg)
(c) 2007 Charles G. Gray 15
Political• Coups/violence/upheaval• Unfriendly environment
– Taxation changes / nationalization• Accounting rules changes• Privacy concerns• Activists – motivated for a cause
– Anti-globalization (WTO demonstrations)– PETA– Environmentalists (e.g., Greenpeace)– Personal views of “right” and “wrong”
![Page 16: IT Risk Management, Planning and Mitigation TCOM 5253 / MSIS 4253 Common Threats and Vulnerabilities](https://reader035.vdocument.in/reader035/viewer/2022062411/5681680d550346895ddd9514/html5/thumbnails/16.jpg)
(c) 2007 Charles G. Gray 16
“Force Majeure”• Literally, “greater force” or “Acts of God”• Webster – “An unexpected or if expected,
an uncontrollable event”• Examples
– War/invasion– Embargo – Epidemic/pandemic– Breakdown of machinery– Employee strike
![Page 17: IT Risk Management, Planning and Mitigation TCOM 5253 / MSIS 4253 Common Threats and Vulnerabilities](https://reader035.vdocument.in/reader035/viewer/2022062411/5681680d550346895ddd9514/html5/thumbnails/17.jpg)
(c) 2007 Charles G. Gray 17
Internal Processes• Inadequate change control process• Lack of audit trails (Sarbanes-Oxley Act)• Allow indiscriminate system access
– “Need to know” vs. “access to everything”• Operations support system failure
– Back office systems• Weak access security
– Password control– Physical access (“tailgating”)
![Page 18: IT Risk Management, Planning and Mitigation TCOM 5253 / MSIS 4253 Common Threats and Vulnerabilities](https://reader035.vdocument.in/reader035/viewer/2022062411/5681680d550346895ddd9514/html5/thumbnails/18.jpg)
(c) 2007 Charles G. Gray 18
Wireless Access• Among European companies:
– 95% provide mobile access via PCs (79%), PDA/Bluetooth (73%) and smartphones (37%)
– 47% have not done a detailed security review• 11% have done NO security review
– 26% provide open access to corporate networks, including ERP/CRM systems
• Typically by incremental adoption– No corporate standards, hard to manage– Hundreds/thousands of uncontrolled devices
![Page 19: IT Risk Management, Planning and Mitigation TCOM 5253 / MSIS 4253 Common Threats and Vulnerabilities](https://reader035.vdocument.in/reader035/viewer/2022062411/5681680d550346895ddd9514/html5/thumbnails/19.jpg)
(c) 2007 Charles G. Gray 19
Other Threats• Train derailment – damaging fiber optics• Sunspots (“solar max”)• High altitude electromagnetic pulse• Satellite failure• Undersea cable failure• Proprietary network failure (e.g.,FSO)• Cell phone blockage (e.g., Ford Motor Co.)
![Page 20: IT Risk Management, Planning and Mitigation TCOM 5253 / MSIS 4253 Common Threats and Vulnerabilities](https://reader035.vdocument.in/reader035/viewer/2022062411/5681680d550346895ddd9514/html5/thumbnails/20.jpg)
(c) 2007 Charles G. Gray 20
Vulnerability• A flaw or weakness in system security
procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or violation of the system’s security policy
![Page 21: IT Risk Management, Planning and Mitigation TCOM 5253 / MSIS 4253 Common Threats and Vulnerabilities](https://reader035.vdocument.in/reader035/viewer/2022062411/5681680d550346895ddd9514/html5/thumbnails/21.jpg)
(c) 2007 Charles G. Gray 21
End-point Vulnerabilities• USB flash drives – Over a billion sold• iPods – over 100M sold
– Recent survey – 61% didn’t even know what “podslurping” is
• PDAs – smart phones – wireless e-mail
• Notebook PCs• SD cards (portable devices)• SarBox doesn’t discriminate (Flash drive
or mainframe – data must be protected)
![Page 22: IT Risk Management, Planning and Mitigation TCOM 5253 / MSIS 4253 Common Threats and Vulnerabilities](https://reader035.vdocument.in/reader035/viewer/2022062411/5681680d550346895ddd9514/html5/thumbnails/22.jpg)
(c) 2007 Charles G. Gray 22
Terminated Employee• Employee ID (multiple) not removed from
all systems– May allow dial-in to the network– Access to proprietary information– May lead to extortion/blackmail
• ID/key card may allow unauthorized physical access
![Page 23: IT Risk Management, Planning and Mitigation TCOM 5253 / MSIS 4253 Common Threats and Vulnerabilities](https://reader035.vdocument.in/reader035/viewer/2022062411/5681680d550346895ddd9514/html5/thumbnails/23.jpg)
(c) 2007 Charles G. Gray 23
System Firewall(s)• Allow inbound telnet• “Guest” ID is enabled on one or more
servers allowing browsing system files to:– Hackers, criminals– Disgruntled employees– Terrorists
• Telephone calling cards• DISA (phone system)
![Page 24: IT Risk Management, Planning and Mitigation TCOM 5253 / MSIS 4253 Common Threats and Vulnerabilities](https://reader035.vdocument.in/reader035/viewer/2022062411/5681680d550346895ddd9514/html5/thumbnails/24.jpg)
(c) 2007 Charles G. Gray 24
Vendor-identified Flaws• Known system vulnerabilities
– Patches not installed– Microsoft Windows seriously flawed
• Risk of unauthorized access by:– Hackers, criminals– Disgruntled employees– Terrorists
• Patches and “service packs” should be installed immediately upon availability
![Page 25: IT Risk Management, Planning and Mitigation TCOM 5253 / MSIS 4253 Common Threats and Vulnerabilities](https://reader035.vdocument.in/reader035/viewer/2022062411/5681680d550346895ddd9514/html5/thumbnails/25.jpg)
(c) 2007 Charles G. Gray 25
Physical Environment• Water instead of Halon for fire suppression
– Halon banned in the EU 31 Dec 2003– Replacements are
• 3M Novec 1230• DuPont FE-25
• Protective covers must be available and placed properly– Protection from water (rain) incursion,
plumbing leaks– Construction may change drainage plan
![Page 26: IT Risk Management, Planning and Mitigation TCOM 5253 / MSIS 4253 Common Threats and Vulnerabilities](https://reader035.vdocument.in/reader035/viewer/2022062411/5681680d550346895ddd9514/html5/thumbnails/26.jpg)
(c) 2007 Charles G. Gray 26
Threat Sources• Hacker, cracker • Computer criminal• Terrorist• Industrial espionage
– The “cleaning” team• Insiders (Employees or consultants)
– Poorly trained programmers/developers– Disgruntled– Malicious/dishonest– Negligent
![Page 27: IT Risk Management, Planning and Mitigation TCOM 5253 / MSIS 4253 Common Threats and Vulnerabilities](https://reader035.vdocument.in/reader035/viewer/2022062411/5681680d550346895ddd9514/html5/thumbnails/27.jpg)
(c) 2007 Charles G. Gray 27
Threat Sources/Motivation• Hacker/cracker
– Challenge, ego, rebellion• Computer criminal
– Destruction of information, monetary gain– Data alteration, illegal information disclosure
• Terrorist– Blackmail, destruction, exploitation, revenge
• Industrial espionage– Competitive advantage, economic espionage
![Page 28: IT Risk Management, Planning and Mitigation TCOM 5253 / MSIS 4253 Common Threats and Vulnerabilities](https://reader035.vdocument.in/reader035/viewer/2022062411/5681680d550346895ddd9514/html5/thumbnails/28.jpg)
(c) 2007 Charles G. Gray 28
Threat Sources/Motivation• Insiders (Employees/consultants)
– Curiosity– Ego– Intelligence – Monetary gain
• Insider trading– Revenge– Unintentional (Poor workmanship)
• Data entry error• Programming error
![Page 29: IT Risk Management, Planning and Mitigation TCOM 5253 / MSIS 4253 Common Threats and Vulnerabilities](https://reader035.vdocument.in/reader035/viewer/2022062411/5681680d550346895ddd9514/html5/thumbnails/29.jpg)
(c) 2007 Charles G. Gray 29
Likelihood Determination• The probability that a potential vulnerability
may be exercised within the context of the associated threat environment involves– Threat-source motivation and capability– Nature of the vulnerability– Existence and effectiveness of current
controls
![Page 30: IT Risk Management, Planning and Mitigation TCOM 5253 / MSIS 4253 Common Threats and Vulnerabilities](https://reader035.vdocument.in/reader035/viewer/2022062411/5681680d550346895ddd9514/html5/thumbnails/30.jpg)
(c) 2007 Charles G. Gray 30
Likelihood Definitions
• High– Threat-source is highly motivated and
sufficiently capable, and controls to prevent the vulnerability from being exercised are ineffective or non-existent
![Page 31: IT Risk Management, Planning and Mitigation TCOM 5253 / MSIS 4253 Common Threats and Vulnerabilities](https://reader035.vdocument.in/reader035/viewer/2022062411/5681680d550346895ddd9514/html5/thumbnails/31.jpg)
(c) 2007 Charles G. Gray 31
Likelihood Definitions
• Medium– The threat-source is motivated and capable,
but controls are in place that may impede successful exercise of the vulnerability
![Page 32: IT Risk Management, Planning and Mitigation TCOM 5253 / MSIS 4253 Common Threats and Vulnerabilities](https://reader035.vdocument.in/reader035/viewer/2022062411/5681680d550346895ddd9514/html5/thumbnails/32.jpg)
(c) 2007 Charles G. Gray 32
Likelihood Definitions• Low
– The threat-source lacks motivation or capability, or controls are in place to prevent, or at least significantly impede, the vulnerability from being exercised
![Page 33: IT Risk Management, Planning and Mitigation TCOM 5253 / MSIS 4253 Common Threats and Vulnerabilities](https://reader035.vdocument.in/reader035/viewer/2022062411/5681680d550346895ddd9514/html5/thumbnails/33.jpg)
(c) 2007 Charles G. Gray 33
Summary• Definition of “threat”• Reviewed threat categories• Defined “Vulnerability”• Looked at various “threat-sources” and
their motivations• Brief discussion of likelihood determination
and definitions