Chapter 6

Threats and vulnerabilities

2

Overview Threat model

Agents

Actions

Vulnerabilities

3

Introduction Threats

Definition Capabilities, intentions and attack methods of adversaries

to exploit or cause harm to assets NIST definition

Any circumstance or event with the potential to adversely impact organizational operations and assets, individuals, other organizations or the nation through an information system via unauthorized access, destruction, disclosure or modification of information, and/ or denial of service

Goal Once assets are identified, identify threats for

optimal information security investments No defense necessary if no harm anticipated

4

Threat model Definition

Interactions between relevant agents, actions and assets constitute the threat model facing an organization Threats arise from motivated people (agents) taking

specific actions to exploit assets

To understand threats Understand relevant agents and their motivations Understand likely assets to be affected Understand likely actions against each asset

5

Threat model

Agents

AssetsActions

6

Threat agents Definition

The individual, organization, or group that originates a particular threat action

Three types Simple classification into MECE (mutually

exclusive, collectively exhaustive) categories External Internal Partners

7

Evolution Trends

Internal agents dropped dramatically

External agents increased significantly

8

External agents Definition

Agents outside the organization, with no direct links to the organization itself

Categories Activist groups Auditors Competitors Customers Nature Former employees Government Cybercrime

9

External agents (contd.) Activist groups

Mix political activism with cybersecurity violations E.g. Anonymous, Lulzsec

Governments Chinese APT attacks

Mandiant report Syrian attackers reported Stuxnet

10

External agents (contd.) Cybercrime

Nigerian 419 scam

Organized crime Carder planet

11

Internal agents Definition

People linked to the organization, often as employees

Categories Internal auditors Help desk Upper management Human resources Janitorial staff Software developers System administrators

12

Internal agents (contd.) Auditors

Can cause damage in the name of compliance

Upper management Lack of awareness of information security

concerns May be reversing in the opposite direction

Often weakest link Unaware of security Force exemptions from policy

13

Partners Definition

Third parties sharing a business relationship with the organization

Categories Cloud service providers Hardware and software vendors Contractors

14

Threat actions Definition

Activity performed by the agent in order to affect the confidentiality, integrity, or availability of the asset

New actions emerging all the time Simple categories

Malware Hacking Social engineering Physical Error Environment

15

Threat actions (contd.) Malware

Malicious software Viruses Worms Bots

Hacking Brute force

Poor choice of passwords Default passwords Cross-site scripting

Most important threat action Eric Grosse, VP, Security Engg. @ Google, NSF meeting 2012

SQL injection Misuse of privileges

16

Threat actions (contd.) Social engineering

Unapproved software Phishing Pre-texting

Physical Unauthorized access Theft

Error Mis-configuration

Environment Power and equipment outages Natural events

17

Vulnerabilities Definition

Weaknesses in information systems that gives threats the opportunity to compromise assets

Relationship with threats Vulnerability is not a risk without a threat

exploiting it Threat is not a risk without a vulnerability to be

exploited

18

Vulnerability trends Source:

Kuhn and Johnson, Vulnerability trends: measuring progress, IEEE IT Pro, 12(4), pg. 51-53, 2010

19

Vulnerability categories Operating system vulnerabilities

Patch tuesday

Application vulnerabilities OWASP top 25 list

20

Example case – Gozi trojan Gozi trojan

Installed on over 1 million computers worldwide Including over 40,000 in the US

Creators Nikita Kuzmin of Russia Deniss Calovskis of Latvia Mihai Paunescu of Romania

Method1. Virus installed silently since 2005

No malicious activity, hence undetected

2. Customers paid Gozi team1. Got a set of “victims”

21

Hands-on activity OpenVAS

Open vulnerability assessment scanner

22

Design case Help desk

23

Gozi case (contd.) Method (contd.)

3. Gozi team suggested financial firm to target Based on banking preferences of “victims”

E.g. most commonly used bank

4. Gozi team wrote customized software to intercept bank traffic and harvest credentials

Prosecuted on Jan 23, 2013 If convicted, could be imprisoned for 60 years

each