chapter 6 threats and vulnerabilities. overview threat model agents actions vulnerabilities 2
TRANSCRIPT
Chapter 6
Threats and vulnerabilities
2
Overview Threat model
Agents
Actions
Vulnerabilities
3
Introduction Threats
Definition Capabilities, intentions and attack methods of adversaries
to exploit or cause harm to assets NIST definition
Any circumstance or event with the potential to adversely impact organizational operations and assets, individuals, other organizations or the nation through an information system via unauthorized access, destruction, disclosure or modification of information, and/ or denial of service
Goal Once assets are identified, identify threats for
optimal information security investments No defense necessary if no harm anticipated
4
Threat model Definition
Interactions between relevant agents, actions and assets constitute the threat model facing an organization Threats arise from motivated people (agents) taking
specific actions to exploit assets
To understand threats Understand relevant agents and their motivations Understand likely assets to be affected Understand likely actions against each asset
5
Threat model
Agents
AssetsActions
6
Threat agents Definition
The individual, organization, or group that originates a particular threat action
Three types Simple classification into MECE (mutually
exclusive, collectively exhaustive) categories External Internal Partners
7
Evolution Trends
Internal agents dropped dramatically
External agents increased significantly
8
External agents Definition
Agents outside the organization, with no direct links to the organization itself
Categories Activist groups Auditors Competitors Customers Nature Former employees Government Cybercrime
9
External agents (contd.) Activist groups
Mix political activism with cybersecurity violations E.g. Anonymous, Lulzsec
Governments Chinese APT attacks
Mandiant report Syrian attackers reported Stuxnet
10
External agents (contd.) Cybercrime
Nigerian 419 scam
Organized crime Carder planet
11
Internal agents Definition
People linked to the organization, often as employees
Categories Internal auditors Help desk Upper management Human resources Janitorial staff Software developers System administrators
12
Internal agents (contd.) Auditors
Can cause damage in the name of compliance
Upper management Lack of awareness of information security
concerns May be reversing in the opposite direction
Often weakest link Unaware of security Force exemptions from policy
13
Partners Definition
Third parties sharing a business relationship with the organization
Categories Cloud service providers Hardware and software vendors Contractors
14
Threat actions Definition
Activity performed by the agent in order to affect the confidentiality, integrity, or availability of the asset
New actions emerging all the time Simple categories
Malware Hacking Social engineering Physical Error Environment
15
Threat actions (contd.) Malware
Malicious software Viruses Worms Bots
Hacking Brute force
Poor choice of passwords Default passwords Cross-site scripting
Most important threat action Eric Grosse, VP, Security Engg. @ Google, NSF meeting 2012
SQL injection Misuse of privileges
16
Threat actions (contd.) Social engineering
Unapproved software Phishing Pre-texting
Physical Unauthorized access Theft
Error Mis-configuration
Environment Power and equipment outages Natural events
17
Vulnerabilities Definition
Weaknesses in information systems that gives threats the opportunity to compromise assets
Relationship with threats Vulnerability is not a risk without a threat
exploiting it Threat is not a risk without a vulnerability to be
exploited
18
Vulnerability trends Source:
Kuhn and Johnson, Vulnerability trends: measuring progress, IEEE IT Pro, 12(4), pg. 51-53, 2010
19
Vulnerability categories Operating system vulnerabilities
Patch tuesday
Application vulnerabilities OWASP top 25 list
20
Example case – Gozi trojan Gozi trojan
Installed on over 1 million computers worldwide Including over 40,000 in the US
Creators Nikita Kuzmin of Russia Deniss Calovskis of Latvia Mihai Paunescu of Romania
Method1. Virus installed silently since 2005
No malicious activity, hence undetected
2. Customers paid Gozi team1. Got a set of “victims”
21
Hands-on activity OpenVAS
Open vulnerability assessment scanner
22
Design case Help desk
23
Gozi case (contd.) Method (contd.)
3. Gozi team suggested financial firm to target Based on banking preferences of “victims”
E.g. most commonly used bank
4. Gozi team wrote customized software to intercept bank traffic and harvest credentials
Prosecuted on Jan 23, 2013 If convicted, could be imprisoned for 60 years
each