Threats, Vulnerabilities, and Risks

Threats, Vulnerabilities, and Risks
CS795/895
References
Reference 1. Big List of Information Security Vulnerabilities, JohnSpacey, 2011http://simplicable.com/new/the-big-list-of-information-security-vulnerabilitiesReference 2. Top Ten Database Security Threats,AmichaiShulman,www.schell.com/Top_Ten_Database_Threats.pdf‎Reference 3. 10 Web Threats that could harm your business, RobertLemos, 2013,http://www.darkreading.com/vulnerability/10-web-threats-that-could-harm-your-busi/240150315Reference 4. Information Security, John PeterJesan, 2006. http://ubiquity.acm.org/article.cfm?id=1117695
Terminology
Threat---a potential cause of an incident that may result in harm to a system or organizationVulnerability---aweakness of an asset(resource) or a group of assets that can be exploited by one or more threatsRisk---potential for loss, damage, or destruction of an asset as a result of a threat exploiting a vulnerabilityExample: In a system that allows weak passwords,Vulnerability---password is vulnerable for dictionary or exhaustive key attacksThreat---An intruder can exploit the password weakness to break into the systemRisk---the resources within the system are prone for illegal access/modify/damage by the intruder.Threat agent---entities that would knowingly seek to manifest a threat
Who is the enemy? Why do they do it?
OffendersCrackers---mostly teenagers doing as intellectual challengeInformation system’s criminals---Espionage and/or Fraud/abuse---for a nation/company to gain a competitive advantage over its rivalsVandals---authorizedusers and strangers (cracker or a criminal)---motivated by anger directed at an individual/organization/life in general
Motives of Cyber Criminal
Power assurance---to restore criminal’s self-confidence or self-worth throughlow-aggression means;---e.g. cyber stalkingPower assertive---to restore criminal’s self-confidence or self-worth throughmoderate- to high-aggression means---not to harm the victim but to get control of the victim;Anger (retaliatory)---rage towards a person, group, institution, or a symbol---the offender may believe that they are correcting some injusticeSadistic---derive gratification from the pain/suffering of othersProfit-oriented---material or personal gain
Risk = Threats x VulnerabilitiesRef:http://simplicable.com/new/the-big-list-of-information-security-vulnerabilities
Types of Damage
Interruption---destroyed/unavailable services/resourcesInterception---unauthorized party snooping or getting access to a resourceModification--- unauthorized partymodifying aresourceFabrication---unauthorized partyinserts a fake asset/resource
Components of a Threat
ComponentsThreat agents---criminals, terrorists, subversive or secret groups, state sponsored, disgruntled employees,, hackers, pressure groups, commercial groupsCapability---software, technology, facilities, education and training, methods, books and manualsThreat inhibitors---fear of capture, fear of failure, level of technical difficulty, cost of participation, sensitivity to public perception, law enforcement activity, target vulnerability, target profile, public perception, peer perceptionThreat amplifiers---peer pressure, fame, access to information, changing high technology, deskilling through scripting, skills and education levels,law enforcement activity, target vulnerability, target profile, public perception, peerperceptionThreat catalysts---events, technology changes, personal circumstancesThreat agent motivators---political, secular, personal gain, religion, power, terrorism, curiosity
Threat Agents
TypesNatural---fire, floods, power failure, earth quakes, etc.Unintentional---insider, outsider---primarily non-hostileIntentional---Insider, outsider---hostile or non-hostile (curious)Foreign agents, industrial espionage, terrorists, organized crime, hackers and crackers, insiders, political dissidents, vendors and suppliers
Top ten Database Security Threatswww.schell.com/Top_Ten_Database_Threats.pdf‎
1.Excessive Privilege Abuse---users are granted database access privileges that exceed the requirements of their job function; e.g.,a university administrator whose job requires only the ability to change student contact information may take advantage of excessive database update privileges to change grades2.Legitimate Privilege Abuse----Users mayabuselegitimate database privileges for unauthorizedpurposes; e.g. a rogue health workerwho is willing to trade patient records for money3.Privilege Elevation---Attackersmay take advantage of database platform software vulnerabilities to convert access privileges from those of an ordinary user to those of an administrator. Vulnerabilities may be found in stored procedures, built-in functions, protocol implementations, and even SQL statements4.Database PlatformVulnerabilities---Vulnerabilities in underlying operating systems (Windows 2000, UNIX, etc.) and additional services installed on a database server may lead to unauthorized access, data corruption, or denial of service.5.SQLInjection---a perpetrator typically inserts (or “injects”) unauthorized database statements into a vulnerable SQL data channel.UsingSQL injection, attackers may gain unrestricted access to an entire database6.Weak AuditTrail---Weak database audit policy represents a serious organizational risk on many levels.---regulatory risk, deterrence, and detection and recovery7.Denial ofService (DoS)---access to network applications or data is denied to intended users8.Database Communication ProtocolVulnerabilities---e.g.,Four out of seven security fixes in the two most recent IBM DB2FixPacksaddress protocolvulnerabilities; similarly, 11 out of 23 database vulnerabilities fixed in the most recent Oracle quarterly patch relate to protocols9.WeakAuthentication---allowingattackers to assume the identity of legitimate database users by stealing or otherwise obtaining login credentials10.Backup DataExposure---Backup database storage media is often completely unprotected from attack. As a result, several high profile security breaches have involved theft of database backup tapes and hard disks.
Ten web threatshttp://www.darkreading.com/vulnerability/10-web-threats-that-could-harm-your-busi/240150315
1.Bigger, SubtlerDDoSAttacks---Distributed Denial of Service Attacks2.Old Browsers, VulnerablePlug-Ins---e.g.,browser vulnerabilities and, more frequently, the browser plug-ins that handle Oracle's Java and Adobe's Flash and Reader.3.Good Sites Hosting BadContent---inVOHO watering holeattack,attackers infected legitimate financial and tech industry websites in Massachusetts and Washington, D.C., commonly accessed by their intendedvictims4.Mobile Apps And The UnsecuredWeb---bring-your-own-device movement has led to a surge in consumer-owned devices inside corporate firewalls5.Failing To Clean Up BadInput---e.g.,Since 2010, SQL injection has held the top spot on the Open Web Application Security Project's list of top 10 security vulnerabilities6.The Hazards OfDigital Certificates---aseries of hacks against certificate authoritiesgave attackers the tools they needed to issue fraudulent SSL certificates that could disguise a malicious website as a legitimate7.The Cross-Site ScriptingProblem---An attacker going after a banking site with a cross-site scripting vulnerability could run a script for a login box on the bank's page and steal users' credentials.8.The Insecure 'Internet OfThings‘---Routers and printers, videoconferencing systems, door locks and other devices are now networked via Internet protocols and even have embedded Web servers. In many cases, the software on these devices is an older version of an open source library that's difficult9.Getting In The FrontDoor---Automated Web bots scrape from Web pages information that can give a competitor better intelligence on your business.10.New Technology, SameProblems---People click links all day long -- people are pretty trained to think that clicking a link on the Web is safe.
Major Security Threats on Information Systemshttp://ubiquity.acm.org/article.cfm?id=1117695
1. Intrusionor Hacking---gainingaccess to a computer system without the knowledge of its owner---Tools: . Poor Implementation of ShoppingCarts, Hiddenfields in the htmlforms, Client-sidevalidationscripts, DirectSQLattack, Session Hijacking, BufferOverflowForms, Port Scan2. Viruses and Worms--- programs that make computer systems not to work properly--- Polymorphic Virus, Stealth Virus, Tunneling Virus, Virus Droppers, CavityVirus3. Trojan Horse--- These programs are having two components; one runs as a server and another one runs as aclient; dataintegrity attack, steal private informationonthe targetsystem,store key strokes and make it viewable for hackers, sendingprivate localas an email attachment.4. Spoofing---fooling other computer users to think that the source of their information is coming from a legitimate user---IPSpoofing, DNS Spoofing, ARP Spoofing5. Sniffing---used by hackers for scanninglogin_idsand passwords over the wires.TCPDUmpand Snoop are better examples for sniffing tools.6. Denial of Service---The main aim of this attack is to bring down the targeted network and make it to deny the service for legitimate users. In order to doDoSattacks, people do not need to be an expert. They can do this attack with simple ping command
Vulnerabilities
“Some weakness of a system that could allow security to be allowed.”Types of vulnerabilitiesPhysical vulnerabilitiesNatural vulnerabilitiesHardware/software vulnerabilitiesMedia vulnerabilities (e.g., stolen/damaged disk/tapes)Emanation vulnerabilities---due to radiationCommunication vulnerabilitiesHuman vulnerabilities
How do the vulnerabilities manifest?
The different types of vulnerabilities manifest themselves via several misuses:External misuse---visual spying, misrepresenting, physical scavengingHardware misuse---logical scavenging, eavesdropping, interference, physical attack, physical removalMasquerading---impersonation, piggybacking attack, spoofing attacks, network weavingPest programs---Trojan horse attacks, logic bombs, malevolent worms, virus attacksBypasses---Trapdoor attacks, authorization attacks (e.g., password cracking)Active misuse---basic active attack, incremental attack, denial of servicePassive misuse---browsing, interference, aggregation, covert channels
Examples of Information Security Vulnerabilities
Ref:http://simplicable.com/new/the-big-list-of-information-security-vulnerabilitiesInformation security vulnerabilities are weaknesses that expose an organization to risk.Through employees: Social interaction, Customer interaction, Discussingwork in publiclocations, Takingdata out of the office (paper, mobile phones,laptops), Emailingdocuments anddata, Mailingand faxingdocuments, Installingunauthorized software andapps, Removingor disabling securitytools, Lettingunauthorized persons into the office (tailgating), Openingspamemails, Connectingpersonal devices to companynetworks, Writingdown passwords and sensitivedata, Losingsecurity devices such as idcards, Lackof information securityawareness, KeyingdataThrough former employees---Formeremployees working forcompetitors, Formeremployees retaining companydata, Formeremployees discussing company mattersThough Technology---Socialnetworking, File sharing, Rapidtechnologicalchanges, Legacy systems, Storingdata on mobile devices such as mobilephones, Internet browsersThrough hardware---. Susceptibility to dust, heat andhumidity, Hardwaredesignflaws, Outof datehardware, Misconfigurationofhardware
Examples of Information SecurityVulnerabilities (Cont.)
Throughsoftware---Insufficienttesting, Lackof audittrail, Softwarebugs and designfaults, Uncheckeduserinput, Softwarethat fails to consider humanfactors, Softwarecomplexity (bloatware), Softwareas a service (relinquishing control ofdata), Softwarevendors that go out of business or changeownershipThrough Network---Unprotected networkcommunications, Openphysical connections, IPs andports, Insecurenetworkarchitecture, Unuseduserids, Excessive privileges, Unnecessaryjobs and scripts executing,WifinetworksThrough IT Management---InsufficientIT capacity ,Missed securitypatches, Insufficientincident and problemmanagement, Configurationerrors and missed security notices, Systemoperationerrors, Lackof regularaudits, Improperwastedisposal, Insufficientchangemanagement, Businessprocessflaws, Inadequatebusinessrules, Inadequatebusinesscontrols, Processesthat fail to consider humanfactors, Overconfidencein securityaudits, Lackof riskanalysis, Rapidbusinesschange, InadequatecontinuityplanningLaxrecruiting processesPartners and suppliers---Disruption of telecomservices, Disruptionof utility services such as electric, gas,water, Hardware failure, Software failure, Lostmail and courierpackages, Supply disruptions, Sharingconfidential data with partners and suppliers
Risk and Risk management
Risk is the potential that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause harm to the organizationRisk management--- “Process of identifying, controlling and minimizing or eliminating security risks that may affect information systems, for an acceptable cost.” --- assessment of risk and the implementation of procedures and practices designed to control the level of riskRisk assessment--- “ assessment of threats to, impact on and vulnerabilities of information and information processing facilities and the likelihood of their occurrence.”---identification of the risk, analysis of the risk in terms of performance, cost, and other quality factors; risk prioritization in terms of exposure and leverage
Risk management
Risk managementRisk assessmentRisk identification---decision driver analysis, assumption analysis, decompositionRisk analysis---cost models, network analysis, decision analysis, quality factor analysisRisk prioritization---risk leverage, component risk reductionRisk controlRisk management planning---risk avoidance, transfer, reduction, element planning, plan integrationRisk resolution---Simulations, benchmarks, analysis, staffingRisk monitoring---Top 10 tracking, risk assessment, corrective action
Threat Matrix
Capabilities of a threat versus type of vulnerabilitiesSimilar to risk assessment or risk analysis matrixGoeland Chen use examples to illustrate a vulnerability matrix and a threat matrix (www.albany.edu/~goel/publications/goelchen2005.pdf‎)Duggan et al illustrate a threat profile matrix. (Sandia Report, SAND2007-5791)
Risk management
Process of: assessing risk, taking steps to reduce it to an acceptable level, and maintaining that level of riskFive principle:I. Assess riskand determine needsRecognize the importance of protecting information resource assetsDevelop risk assessment procedures that link IA to business needsHold programs and managers accountableManage risk on a continuing basisII. Establish a central management focusDesignate a central group for key activitiesProvide independent access to senior executives to the groupDesignate dedicated funding and staffPeriodically, enhance staff technical skillsIII.Implement appropriate policies and related controlsLink policies to business risksDifferentiate policies and guidelinesSupport polices via the central IA groupIV Promote awarenessEducate user and others on risks and related policiesUse attention-getting and user-friendly techniquesV Monitor and evaluate policy and control effectivenessMonitor factor that affect risk and indicate IA effectivenessUse results to direct future efforts and hold managers accountableBe on the lookout for new monitoring tools andtechniques
Federal System Risk Management Framework
The National Institute of Standards and Technology has made available guidelines for applying risk management to Federal Information Systems.Refer tohttp://csrc.nist.gov/groups/SMA/fisma/rmf-training.htmlGo throughthe course athttp://csrc.nist.gov/groups/SMA/fisma/Risk-Management-Framework/rmf-training/index.html(Audio+ slides)
Summary
Threat, Vulnerability, and Risk are definedThe enemies of information systems and their motives are briefly discussedTypes of damage are classifiedRisk management is discussedDifferent types of threats with examples are discussedDifferent vulnerabilities and threats are described at depth