By Tom Olzak, guest contributor
Understanding the probable threats facing your organization’s network requires an understanding of where threat agents originate. Not all threat sources apply to your business. For example, if you assess a facility in Toledo, Ohio, you don’t have to worry about hurricanes. However, you might want a business continuity plan that includes blizzards. For general purposes, threat sources can fall into one of four categories: human, geographic, natural, and technical.
Human threat sources include both internal and external people. Further, human-caused security incidents are either accidental or intentional. Regardless of location, a human threat source relies on three common conditions for successful vulnerability exploitation: motive, opportunity, and means (MOM). Understanding how they work and what to look for helps us design reasonable and cost effective prevention and detection controls.
Motive is a person’s reason for doing something. It is often defined in terms of incentive, what a person hopes to gain. Successful defense against a threat agent depends largely on the person’s incentive for reaching targeted information assets. For example, if an attacker can sell the contents of a target database for $500,000, he or she is probably much more motivated than the attacker stretching for assets worth a few hundred dollars. Another example is the politically motivated terrorist who believes a successful attack will advance his movement’s agenda. Motive can mean the difference between facing a traditional threat and an APT.
How we determine the probable motive behind an attack depends on several factors. We can often identify high-risk factors by asking the right questions, including:
* Is your organization participating in politically sensitive business operations?
* Do you process or store information of high-value to cyber-criminals or foreign governments?
* Are your hiring, termination, and labor practices fair and impartial as perceived by the public?
* Are you a high-profile organization that makes a great publicity target (e.g. Google, Yahoo, Microsoft, etc.)?
This is a short list that provides examples of the types of questions you might consider. They often change based on the system or the facility assessed. For example, you might determine there is potential for high motivation when assessing engineering systems on which you create and store intellectual property. On the other hand, systems containing personal employee information, while worthy of protection, probably face less motivated threat agents.
Understanding opportunity is easy; how many unmanaged vulnerabilities do you have? Opportunity increases with:
* The number of patches you do not apply
* The level of security training and awareness activities in which your employees participate
* The effectiveness of prevention controls
* The effectiveness of detection controls
* The speed at which your incident response team (assuming you have one) contains threat agents
Means is determined by the skill set required to reach and exploit a target. An attacker has the means if he or she can circumvent your controls and successfully achieve planned objectives. When designing a controls framework, it is not always necessary to fill your network with performance-killing and hard-to-manage security appliances. Rather, keep up to date with network security trends. Simply increasing the skill set and tools required by the attacker reduces probability of occurrence.
Human threat agents, therefore, are hindered by decreasing their motives, eliminating or confounding their opportunities, and requiring them to have sophisticated toolsets and skills.
Human Threat Agents
Human threats use a variety of methods, including social engineering, phishing or pharming, DNS redirection, and botnet operation. An attack against an organization, especially an APT, will use two or more of these or other methods. This is called a blended threat.
Social engineering uses con artist skills to achieve an objective. For example, an attacker might call a user in payroll. The conversation begins with the attacker telling the payroll user that he is with the help desk and trying to remotely install new software. However, he needs the user’s password to complete the task. Untrained employees, or those working in an organization without strong awareness activities, are probable vulnerabilities for social engineering. In addition to logical access information gathering, social engineering is also a great tool for gaining unauthorized physical access.
Phishing and Pharming
Phishing and pharming are types of social engineering, typically using email or DNS redirection. An attacker might craft an email to look like it comes from a popular social networking site. She then sends it to a large set of email addresses. Organizations not filtering questionable email will likely allow their users to receive it. An untrained user will open the email and click on a link provided by the attacker.
Clicking on a link in a phishing email might perform one or more of the following:
* Install botnet software on the user’s computer
* Install key logging software
* Redirect the user to a website masquerading as a page belonging to the social network
* Request the user’s account information, including password
* Request the user’s payment information, including credit card approval information
One of the possible results of phishing is website redirection. In phishing, this might simply be a one-time event. However, redirection is also caused by DNS (Domain Name System) cache poisoning. The user will go to a malicious site every time his computer requests an address from a compromised DNS server or from his computer’s compromised local DNS cache.
Botnets manage much of today’s phishing, DNS redirection, information gathering, and other attack-related activities. Human controllers build a network of end-user systems and servers by using social engineering or some other method to install an agent on as many computers as possible. The agents can perform any task, including:
* Gathering sensitive information during day-to-day activities
* Launching denial of service (DoS) attacks against the host or other organizations
* Launching phishing attacks
Botnets are an excellent resource for APTs. The attackers simply request information about the target organization from botnet operators. Information from individual systems might include
* Operating system used
* Applications installed
* Patch and version levels
* Network information
* Anti-malware solutions
There are other human threat sources, but these are the most common causes of system and network compromise.
Specific conditions in the region or country in which a facility is located might have a unique set of geographic threats, including:
* Political instability
* Social unrest
* Economic instability
* Frequent power issues
* Frequent communication issues
* Uncertain or antagonistic legal environment
Natural threats are thrown at us by nature. Varying by location, they include:
* Wild fires
* Severe thunder storms
I use this category for all electronic threats not directly managed by a human. For example, there are an uncountable number of malware instances floating around the Internet. They range from simple viruses to sophisticated worms. They infect servers, desktops, laptops, and smartphones. Usually caused by user action, infestations by these unmanaged applications can cause internal denial of service, system failure, or simple customer frustration.
The threats listed here are not intended to be inclusive of everything you might face. In fact, attackers are far too creative to list everything they might try to do to our networks. However, this sampling provides a view into the types of agents that contribute to organizational risk and our job security.
Photo courtesy of Shutterstock.