Information Security A Practical Guide: Bridging the gap between IT and management (2015)
CHAPTER 4. THREATS
This chapter discusses the potential threats to your organisation, and describes the threats as people with motivations and their capabilities. When conversing with the business it is difficult to describe the threats and risks to a system using technical language. I was giving a presentation on the importance of website security to a business when I was asked, “Why would anyone ever want to attack our system?” I realised at that moment that although they understood the concept of website security I had failed to convince them of the need for it. By using the following technique of creating threat actors you can better convince non-technical people of the need for security as well as build an overall threat landscape for your organisation.
Keep a log of how the threats might compromise your system. This helps you to understand how your system is likely to be attacked and focus on where the most security controls are needed. If you find that most threats would try and compromise the system physically then you can implement more physical controls; if most would attack the network over the Internet then you can ensure you have better network perimeter controls.
Another benefit of keeping a list of threats in this manner is that it allows you to apply those threats to the real world. So, for example, if the police report increased activity by burglars in your area, you can adapt your threats log and take action if necessary. Or, if you read that hackers are increasingly targeting organisations similar to your own, you can work with the networks team to ensure they are extra vigilant. The threat actor model gives you a common understanding to converse and understand changes in the threat landscape. Additionally, if you share your threat log with members of the business, they can also apply their knowledge and understand when a threat increases or decreases. The more people who understand the threats, the more effective your organisation will be at combating them.
In this chapter you will learn the following:
• How to understand the threat landscape for your organisation
• How to describe threats in a tangible way
• Understanding the capabilities of threats
• Understanding the motivations of the threats to your organisation.
Types of Threats
The following are the typical threats faced by an organisation. They are generalisations but if you spend time with someone who understands your organisation, you can adapt them for your own purposes. Also take the time to understand previous breaches that have occurred and build threat actors based on those, as this will help you better understand the capabilities and motivations of those who wish to compromise your organisation.
When we think about information security, hackers are the most obvious threat and typically the threat we are most familiar with. Hackers attack our IT system over a network, typically the Internet, and they are skilled and are able to tailor their attacks. These hackers are more than the typical script kiddies and can exploit more than the typical basic security vulnerabilities.
Hackers try to accomplish one or more of the following:
• Financial gain: the theft of financial information or personal information that they can sell
• Control of computer systems to further support other hacking activities
• To show off their skills.
Hackers usually work alone or in small groups, and use bespoke skills. They usually target systems that they are confident of breaching, so they favour easy systems to compromise. They target several systems then focus on those systems that are most likely to succumb to their attack.
I have purposely separated malware writers (or malware itself) from the standard network attacks. This is because this threat targets different systems and the controls to mitigate this threat are very different. By malware writers I mean the actual malware itself. In recent years malware has transformed from a damaging annoyance to something more dangerous. Often, modern malware will attempt to seek out and steal information, or hold information hostage and demand a ransom to release it. Malware writers favour spreading their software over the Internet when targets visit compromised websites.
Malware writers typically have the following motivations:
• Theft of financial data or personal information that they can sell
• Encryption of data and then demand a ransom for the decryption keys
• Recruitment of systems into their botnets.
Malware writers usually work alone or in small groups. Their malware targets Windows systems but more recently cross-platform malware has appeared. Malware writers favour a scattergun approach trying to target and spread to as many systems as possible using whatever vulnerability they understand. Malware writers often revise their software so that new variants of their malware use different vulnerabilities and try to subvert antivirus programs.
Script kiddies have the most basic of technical skills. They download hacking tools developed by more skilled hackers and malware writers using attacks they don’t fully understand. Although they are the least skilled, they are the most prevalent. If you attach a system to the Internet and monitor for attacks, you will see it comes under attack daily, and these attacks are easily recognised by most intrusion detection systems. I have separated them from hackers because of their differing skill levels and the fact that script kiddie attacks occur more often.
Script kiddies are usually motivated by the following:
• Boredom: they have nothing to do so are mischievous.
• Showing off: they and their friends have poor IT skills and want to show off to one another.
Script kiddies scan the Internet for vulnerable systems using their automated tools. Their technical skill is often very limited and this can be even more of a concern as they do not understand what they are doing, leading to them damaging systems accidentally. Script kiddies favour the more current and fashionable tools.
Often, journalists aren’t considered a threat to an IT system and in the traditional sense they aren’t. What I mean by this is that usually a journalist won’t attack the system online. What they do though is physically compromise the system. Journalists usually have very limited technical skills unless they enlist the help of someone else. A physical compromise is favoured as they can gather evidence to support their aims.
These aims are usually one of the following:
• Public interest
• Big-selling story
• To build their reputation.
Journalists do have some exemptions under the Data Protection Act but they must still comply with the computer misuse act; this is another reason for favouring physical compromise rather than a cyber attack. Journalists often use undercover techniques, for example posing as a cleaner or some other staff member to gain physical access. This threat poses a very interesting vector and may motivate some organisations to carry out background checks on all staff they employ.
Criminals should not be confused with hackers or malware writers. Although all these threats commit crimes, criminals’ motivations and techniques are different. A criminal is often trying to subvert the process or service that the IT system itself supplies, for example buying something using someone else’s payment details. This is a different threat to consider because we need to look at not only how the technology we build can be compromised but also what we build.
A criminal’s motivation is the most basic:
• Financial gain
• Support for other crimes.
The scariest thing about criminals is that although their motivation is the most basic, it is also the strongest. The financial motivation coupled with the lack of morals makes this a very daunting threat and often criminals will not rule out any attack vector if the rewards are great enough. This means that they may not only attack the system online but also favour a physical compromise of the system.
The best way to think about a physical intruder is to think about a typical burglar: someone who has broken in with the intention of theft of the physical assets rather than the information itself. IT equipment is often very valuable and easily sells on sites such as eBay. Fortunately server and rack equipment is large and not easy to steal, so this may lead to the physical intruder stealing things such as copper cabling that can be sold for profit. A physical intrusion may occur even if there is nothing of value at the location; some intruders may do so on the off chance of finding something of value.
Physical intruders are motivated by the following:
• Financial gain
• Potential financial gain.
Physical intruders usually are not motivated by the value of the data but more the value of the physical systems. This can lead to the risk of the compromise being miscalculated as people tend to only consider the value of the information they are protecting and not the physical infrastructure.
Researchers is a strange one that most people often do not consider. A researcher becomes more of a problem as the profile of your organisation rises. Take Facebook as an example: its website comes under daily scrutiny from those trying to find security vulnerabilities, and their motivation can vary greatly. Some do so to receive payment for a bug bounty, and some do it to produce a paper or other research that they want to present. Whatever their motivation these researchers are often the best equipped to target your system. This is because they have a great technical knowledge and have selected your system for a reason, usually because they believe they will be successful.
Researches are typically motivated by the following:
• Fame: publishing their findings and receiving credit
• Money: payment either from a bug bounty or the sale of their findings, perhaps to a journalist
• Pure research: for a dissertation or other research.
A researcher usually only goes as far as to find the vulnerabilities within your system; they won’t actually exploit them. A researcher typically wants to stay on the right side of the law so will be keen not to break any. The researcher may even inform you of their findings before publication, so it is important that you take the time to respond and act on their findings before publication. A lot of the impact on the organisation can be mitigated if the researcher asserts that their finds have since been fixed.
Hacktivists have become more and more prevalent over the last few years with groups such as Lulzsec and Anonymous now an active threat. These groups comprise people who have hacking skills but are motivated by some moral goal. They typically target government organisations or organisations with ties to government. They may, depending on your business, target yourself; for example, Greenpeace has been accused of hacking oil companies.
Hacktivists have the following motivations:
• Public awareness of their cause
• An effective means of protesting their views.
The technical skills of hacktivists are limited and they focus on disruption rather than breaking into a system and stealing data. Denial-of-service (DoS) attacks are their preferred method of disruption. DOS attacks overload the target with too much data so that the system is so preoccupied with the data being fired at it that it doesn’t have the capacity to service legitimate users. Such attacks can be more of an annoyance unless you are relying on your website for your core business. The motivations of hacktivists can change overnight, so it is important to be aware of any changes in society that may motivate them to target your organisation.
Often our own employees are overlooked as a threat. It’s a cliché to say that our staff are our strongest and weakest control with regard to security. In this case it is a double loss, as not only are they a weakness but they are also possibly an active threat to the system. Disgruntled employees typically pose two threats: deliberately compromising our system, or because of their lack of engagement they are more prone to errors. Reasons why a member of staff could become disgruntled range from a disagreement over pay to being overworked. It is important that an organisation is aware of morale levels within the workforce and steps are taken to improve it where needed.
Disgruntled employees typically have the following motivations:
• Lack of interest/pride in their work.
Disgruntled employees will aim to damage the organisation’s reputation rather than compromise a system for financial reasons. This can be done through an information leak or affecting the availability of a system.