Session objectives

Threats, Threat Agents, and Vulnerabilities COMM037 Computer Security Recognise the differences between common threat sources Be able to account for a wide range of threats in a risk analysis Dr Hans Georg Schaathun Raggad, Chapter 3 University of Surrey ISO 27005:2008

Autumn 2010 – Week 5

Dr Hans Georg Schaathun Threats, Threat Agents, and Vulnerabilities Autumn 2010 – Week 5 1 / 46 Dr Hans Georg Schaathun Threats, Threat Agents, and Vulnerabilities Autumn 2010 – Week 5 2 / 46

Threat Identification Threat Classification Threat Identification Threat Classification Threat Identification Information on threats ISO 27005:2008

Threat description Input Information on threats from incident reviews, asset Threat Source owners, users, etc. Threat Type Output A list of threats with identification of type and source. Effect of Threat to Asset (consequential threats) Action Identify threats and their sources. Impact and Consequences

Dr Hans Georg Schaathun Threats, Threat Agents, and Vulnerabilities Autumn 2010 – Week 5 5 / 46 Dr Hans Georg Schaathun Threats, Threat Agents, and Vulnerabilities Autumn 2010 – Week 5 6 / 46 Threat Identification Threat Classification Threat Identification Threat Paths Classes of Threats Threat Paths Example of Consquential Threats

Threats

Natural Manmade Root Threat Thunderstorm Secondary Threat Fire Third-Order Threat Power outage Intentional Fourth-Order Threat Web server failure

Accidental At what stage of the path do you put your controls? Outsider Insider

Human Error Software Fault Hardware Fault

Dr Hans Georg Schaathun Threats, Threat Agents, and Vulnerabilities Autumn 2010 – Week 5 7 / 46 Dr Hans Georg Schaathun Threats, Threat Agents, and Vulnerabilities Autumn 2010 – Week 5 9 / 46

Threat Identification Threat Paths Threat Identification Threat Paths Responsive Controls Preventive Controls

Prevent web server failure Understanding of cause is essential Thunderstorm lightning diverter Controlling the cause threat Fire fire alarm, fire hoses, fire extinguishers prevents the higher-order threat Power outage UPS Either UPS (responsive) or upgraded power supply (preventive) Web server failure off-site backup server, 24/7 maintenance crew controling the power outage threat will prevent web server failure (some of the time)

Understanding threat paths is useful when planning preventive controls.

Dr Hans Georg Schaathun Threats, Threat Agents, and Vulnerabilities Autumn 2010 – Week 5 10 / 46 Dr Hans Georg Schaathun Threats, Threat Agents, and Vulnerabilities Autumn 2010 – Week 5 11 / 46 Threat Identification Threat Paths Threat Identification Approach Threat Paths and Impacts Brain Storm from all Directions Examples

Use different approaches and thought processes to cover as many threats as possible.

Port Scanning Attacks (root threat) Who are your enemies? fascilitates break-in attacks (secondary threat) what do they want to do? Credit Card Numbers compromised (confidentiality) root threat what can they do? (penetration testing) fascilitates Impersonation Attacks (Integrity) secondary threat What has happened in the past? Virus (Integrity) root threat to yourself to others fascilitiates other attacks (any type) secondary threat What is your great fears? how could it come about? What could happen?

Dr Hans Georg Schaathun Threats, Threat Agents, and Vulnerabilities Autumn 2010 – Week 5 12 / 46 Dr Hans Georg Schaathun Threats, Threat Agents, and Vulnerabilities Autumn 2010 – Week 5 14 / 46

Threat Identification Approach Threat Sources Qualitative and Quantitative Approaches What is a threat source? Recap

Quantitiative approaches (e.g. FAIR) measure and quantify issues Threat source or threat agent prioritise mathematically An entity with an intention and capability to cause impact Detail required to measure Sentient adversaries — potential attackers Qualititative approaches (e.g. ISO 27005) Honest users — making mistakes identify all problems Nature and random events no accurate assessment of severity There is a reason behind incidents If you start the quantitative approaches to early Enemies with an objective of their own many threats will slip through Nature and its random events

Dr Hans Georg Schaathun Threats, Threat Agents, and Vulnerabilities Autumn 2010 – Week 5 15 / 46 Dr Hans Georg Schaathun Threats, Threat Agents, and Vulnerabilities Autumn 2010 – Week 5 17 / 46 Threat Sources Threat Sources WikiLeaks from Afghanistan Why do we identify threat sources? WikiLeaks

Why do we need to identify the threat sources? http://www.wikileaks.org/ When is the threat realised? 77 000 military, classified documents on the war in Afghanistan how often late July 2010 Understand the nature of the threat lifted from the US military resourceful attackers or amateurs? leaks from Iraq October 2010 How will a preliminary attack be exploited? blackmail? slander? further attacks?

Dr Hans Georg Schaathun Threats, Threat Agents, and Vulnerabilities Autumn 2010 – Week 5 18 / 46 Dr Hans Georg Schaathun Threats, Threat Agents, and Vulnerabilities Autumn 2010 – Week 5 20 / 46

Threat Sources WikiLeaks from Afghanistan Threat Sources WikiLeaks from Afghanistan Assets Relevant Threat Sources

Taliban and other insurgent organisation Confidential information military use of the information former informants Freedom of Information Movements potential targets of retribution champions of the public right to information future operations Anti-War Movements allowing counter-operations aiming to swing the public opinion about the war previous operations Other military and political enemies of the state leading to impact on goodwill and reputation damage the state’s military capability

Who is the actual threat source?

Dr Hans Georg Schaathun Threats, Threat Agents, and Vulnerabilities Autumn 2010 – Week 5 21 / 46 Dr Hans Georg Schaathun Threats, Threat Agents, and Vulnerabilities Autumn 2010 – Week 5 22 / 46 Threat Sources WikiLeaks from Afghanistan Threat Sources The Stuxnet Worm Vulnerabilities The Stuxnet Worm

Targets industrial control systems specific types of computers from Siemens Staff with an agenda Malware, able to override the controls Extensive records in compact format Chemical plants walk out with an encyclopedia on a keyring Power plants Power grids Exploits four previously unknown vulnerabilities

Dr Hans Georg Schaathun Threats, Threat Agents, and Vulnerabilities Autumn 2010 – Week 5 23 / 46 Dr Hans Georg Schaathun Threats, Threat Agents, and Vulnerabilities Autumn 2010 – Week 5 25 / 46

Threat Sources The Stuxnet Worm Threat Sources The Stuxnet Worm What is a worm? The attack on Iran

Malware — Malicious Software 60% of infections in Iran Standalone programs The Nuclear Plant in Bushehr do not modify other programs (as viruses do) compromised Usually spreads over the network Iran will not reveal the extent of damage network congestion is a common impact seems to have delayed the opening of the plant

Dr Hans Georg Schaathun Threats, Threat Agents, and Vulnerabilities Autumn 2010 – Week 5 26 / 46 Dr Hans Georg Schaathun Threats, Threat Agents, and Vulnerabilities Autumn 2010 – Week 5 27 / 46 Threat Sources The Stuxnet Worm Threat Sources The Seven Cybercriminal Families Who is the attack source? A viewpoint from Law Enforcement

This would require a lot of resources on the level of a nation Dr. David Benichou at WIFS’09 in London state. Gadi Evron, Israeli cybersecurity strategist French juge investigatoire Special advisor to the Minstry of Justice The known enemies — preventing nuclear development PhD in Computer Sciences USA and Israel Model based on field experience China — as a testrun of new cyberwarfare technology more than 1000 cases Are there private organisations with the capability? Qualitative rather than quantitative Real-life, rather than academic view We do not know what the source is

Dr Hans Georg Schaathun Threats, Threat Agents, and Vulnerabilities Autumn 2010 – Week 5 28 / 46 Dr Hans Georg Schaathun Threats, Threat Agents, and Vulnerabilities Autumn 2010 – Week 5 30 / 46

Threat Sources The Seven Cybercriminal Families Threat Sources The Seven Cybercriminal Families The seven families of cybercrime The seven families of cybercrime Seven classes of threat sources (graphics c David Bénichou)

Empirical distribution of attack profiles Adolescent amateurs script kiddies 100 hackers Amateurs with a goal avengers legal persons 50 Resourceful professionals Organised crime Terrorists Spies 0 kiddies hackers avengers LP cyberterro bandits spies

population dangerousness

Dr Hans Georg Schaathun Threats, Threat Agents, and Vulnerabilities Autumn 2010 – Week 5 31 / 46 Dr Hans Georg Schaathun Threats, Threat Agents, and Vulnerabilities Autumn 2010 – Week 5 32 / 46 Threat Sources The Seven Cybercriminal Families Threat Sources The Seven Cybercriminal Families The big majority Masked Avengers

Script Kiddies Clueless amateurs Grown up individuals Use scripts created by others with a score to settle Trying hacks for fun Obvious motivation No understanding of the techniques used relatively easy to unmask Hackers Technically adept e.g. a disgruntled employee with a desire to punish the company Obscure motivations e.g. Mr/Mrs average dragging an ex-lover down in the mud challenge, learning, experience

Dr Hans Georg Schaathun Threats, Threat Agents, and Vulnerabilities Autumn 2010 – Week 5 33 / 46 Dr Hans Georg Schaathun Threats, Threat Agents, and Vulnerabilities Autumn 2010 – Week 5 34 / 46

Threat Sources The Seven Cybercriminal Families Threat Sources The Seven Cybercriminal Families Legal Persons The big and resourceful Spies, organised crime, and terrorists

Financial motives Different motivations unfair competition political (spies) trade secrets financial (organised crime) Highly skilled ideological (terrorists) All are resourceful, with solid backing Easy to identify — the motive is a give-away few have resources on this scale the resources make serious impact possible

Dr Hans Georg Schaathun Threats, Threat Agents, and Vulnerabilities Autumn 2010 – Week 5 35 / 46 Dr Hans Georg Schaathun Threats, Threat Agents, and Vulnerabilities Autumn 2010 – Week 5 36 / 46 Threat Sources The Seven Cybercriminal Families Threat Sources The Seven Cybercriminal Families The rare and serious agents Risk Analysis

Terrorists How does each family affect your risk analysis? Spies Organised Crime Script Kiddies Backed with considerable resources Hackers money, manpower, information, backup Avengers Different objectives Legal Persons Ideology — Terrorists Terrorists Politics — Spies Spies Money — Organised Crime Similar dedication Organised Crime professionalism and clear objectives

Dr Hans Georg Schaathun Threats, Threat Agents, and Vulnerabilities Autumn 2010 – Week 5 37 / 46 Dr Hans Georg Schaathun Threats, Threat Agents, and Vulnerabilities Autumn 2010 – Week 5 38 / 46

Vulnerability Identification Vulnerability Identification Vulnerability Identification Areas of vulnerabilities ISO 27005:2008 ISO 27005:2008

Input lists of Organisation known threats Processes and procedures assets existing controls Management routines Output a list of vulnerabilities in relation to assets, threats, Personnel and controls Physical environment a list of vulnerabilities not related to any identified Information system configuration threat Hardware, software or communications equipment Action Identify vulnerabilities that could be exploited by the Dependence on external parties threats

Dr Hans Georg Schaathun Threats, Threat Agents, and Vulnerabilities Autumn 2010 – Week 5 40 / 46 Dr Hans Georg Schaathun Threats, Threat Agents, and Vulnerabilities Autumn 2010 – Week 5 41 / 46 Vulnerability Identification Vulnerability Identification Vulnerabilities and Known Threats Vulnerabilities without Threat

For each threat identified Is there a problem? Which assets are under threat? What vulnerabilities can it exploit No risk – at the moment How? Threat is needed to exploit it What could be the attack Yet, should be recognised and monitored What controls do we have? it may change over time we may have forgotten a threat Resort the list, listing each vulnerability with all its associated threats

Dr Hans Georg Schaathun Threats, Threat Agents, and Vulnerabilities Autumn 2010 – Week 5 42 / 46 Dr Hans Georg Schaathun Threats, Threat Agents, and Vulnerabilities Autumn 2010 – Week 5 43 / 46

Closure Closure Exercise 5 Summary

Review NIST SP800-53 Effective risk analysis requires structured review of threats http://csrc.nist.gov/publications/nistpubs/ vulnerabilities 800-53-Rev2/sp800-53-rev2-final.pdf For threats we need to understand Prepare a list, with short explanations, of the main types of source controls. cause effect Additionally (not to be handed in) No immediate risk from 1 Be ready to discuss the different types of information security threats without vulnerabilites controls in class. vulnerabilities without threat 2 read the following week’s exercise “Protecting the Forest” ISO 27005 provides the framework

Dr Hans Georg Schaathun Threats, Threat Agents, and Vulnerabilities Autumn 2010 – Week 5 45 / 46 Dr Hans Georg Schaathun Threats, Threat Agents, and Vulnerabilities Autumn 2010 – Week 5 46 / 46