1 / 23

Chapter 6

Chapter 6. Threats and vulnerabilities. Overview. Threat model Agen ts Actions Vulnerabilities. Introduction. Threats Definition Capabilities , intentions and attack methods of adversaries to exploit or cause harm to assets NIST definition

evonne
Download Presentation

Chapter 6

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Chapter 6 Threats and vulnerabilities

  2. Overview • Threat model • Agents • Actions • Vulnerabilities

  3. Introduction • Threats • Definition • Capabilities, intentions and attack methods of adversaries to exploit or cause harm to assets • NIST definition • Any circumstance or event with the potential to adversely impact organizational operations and assets, individuals, other organizations or the nation through an information system via unauthorized access, destruction, disclosure or modification of information, and/ or denial of service • Goal • Once assets are identified, identify threats for optimal information security investments • No defense necessary if no harm anticipated

  4. Threat model • Definition • Interactions between relevant agents, actions and assets constitute the threat model facing an organization • Threats arise from motivated people (agents) taking specific actions to exploit assets • To understand threats • Understand relevant agents and their motivations • Understand likely assets to be affected • Understand likely actions against each asset

  5. Threat model

  6. Threat agents • Definition • The individual, organization, or group that originates a particular threat action • Three types • Simple classification into MECE (mutually exclusive, collectively exhaustive) categories • External • Internal • Partners

  7. Evolution • Trends • Internal agents dropped dramatically • External agents increased significantly

  8. External agents • Definition • Agents outside the organization, with no direct links to the organization itself • Categories • Activist groups • Auditors • Competitors • Customers • Nature • Former employees • Government • Cybercrime

  9. External agents (contd.) • Activist groups • Mix political activism with cybersecurity violations • E.g. Anonymous, Lulzsec • Governments • Chinese APT attacks • Mandiant report • Syrian attackers reported • Stuxnet

  10. External agents (contd.) • Cybercrime • Nigerian 419 scam • Organized crime • Carder planet

  11. Internal agents • Definition • People linked to the organization, often as employees • Categories • Internal auditors • Help desk • Upper management • Human resources • Janitorial staff • Software developers • System administrators

  12. Internal agents (contd.) • Auditors • Can cause damage in the name of compliance • Upper management • Lack of awareness of information security concerns • May be reversing in the opposite direction • Often weakest link • Unaware of security • Force exemptions from policy

  13. Partners • Definition • Third parties sharing a business relationship with the organization • Categories • Cloud service providers • Hardware and software vendors • Contractors

  14. Threat actions • Definition • Activity performed by the agent in order to affect the confidentiality, integrity, or availability of the asset • New actions emerging all the time • Simple categories • Malware • Hacking • Social engineering • Physical • Error • Environment

  15. Threat actions (contd.) • Malware • Malicious software • Viruses • Worms • Bots • Hacking • Brute force • Poor choice of passwords • Default passwords • Cross-site scripting • Most important threat action • Eric Grosse, VP, Security Engg. @ Google, NSF meeting 2012 • SQL injection • Misuse of privileges

  16. Threat actions (contd.) • Social engineering • Unapproved software • Phishing • Pre-texting • Physical • Unauthorized access • Theft • Error • Mis-configuration • Environment • Power and equipment outages • Natural events

  17. Vulnerabilities • Definition • Weaknesses in information systems that gives threats the opportunity to compromise assets • Relationship with threats • Vulnerability is not a risk without a threat exploiting it • Threat is not a risk without a vulnerability to be exploited

  18. Vulnerability trends • Source: • Kuhn and Johnson, Vulnerability trends: measuring progress, IEEE IT Pro, 12(4), pg. 51-53, 2010

  19. Vulnerability categories • Operating system vulnerabilities • Patch tuesday • Application vulnerabilities • OWASP top 25 list

  20. Example case – Gozitrojan • Gozitrojan • Installed on over 1 million computers worldwide • Including over 40,000 in the US • Creators • Nikita Kuzmin of Russia • DenissCalovskis of Latvia • MihaiPaunescu of Romania • Method • Virus installed silently since 2005 • No malicious activity, hence undetected • Customers paid Gozi team • Got a set of “victims”

  21. Hands-on activity • OpenVAS • Open vulnerability assessment scanner

  22. Design case • Help desk

  23. Gozi case (contd.) • Method (contd.) • Gozi team suggested financial firm to target • Based on banking preferences of “victims” • E.g. most commonly used bank • Gozi team wrote customized software to intercept bank traffic and harvest credentials • Prosecuted on Jan 23, 2013 • If convicted, could be imprisoned for 60 years each

More Related