Session objectives. Threats, Threat Agents, and Vulnerabilities. Information on threats. Threat Identification ISO 27005:2008

Transcription

1 Session objectives Threats, Threat Agents, and Vulnerabilities COMM037 Computer Security Dr Hans Georg Schaathun University of Surrey Recognise the differences between common threat sources Be able to account for a wide range of threats in a risk analysis Raggad, Chapter 3 ISO 27005:2008 Autumn 2010 Week 5 Dr Hans Georg Schaathun Threats, Threat Agents, and Vulnerabilities Autumn 2010 Week 5 1 / 46 Dr Hans Georg Schaathun Threats, Threat Agents, and Vulnerabilities Autumn 2010 Week 5 2 / 46 Threat Classification Threat Classification ISO 27005:2008 Information on threats Input Information on threats from incident reviews, asset owners, users, etc. Output A list of threats with identification of type and source. Action Identify threats and their sources. Threat description Threat Source Threat Type Effect of Threat to Asset (consequential threats) Impact and Consequences Dr Hans Georg Schaathun Threats, Threat Agents, and Vulnerabilities Autumn 2010 Week 5 5 / 46 Dr Hans Georg Schaathun Threats, Threat Agents, and Vulnerabilities Autumn 2010 Week 5 6 / 46

2 Threat Classification Classes of Threats Example of Consquential Threats Threats Natural Manmade Root Threat Thunderstorm Secondary Threat Fire Intentional Third-Order Threat Power outage Fourth-Order Threat Web server failure Accidental Outsider Insider At what stage of the path do you put your controls? Human Error Software Fault Hardware Fault Dr Hans Georg Schaathun Threats, Threat Agents, and Vulnerabilities Autumn 2010 Week 5 7 / 46 Dr Hans Georg Schaathun Threats, Threat Agents, and Vulnerabilities Autumn 2010 Week 5 9 / 46 Responsive Controls Preventive Controls Thunderstorm lightning diverter Fire fire alarm, fire hoses, fire extinguishers Power outage UPS Web server failure off-site backup server, 24/7 maintenance crew Prevent web server failure Understanding of cause is essential Controlling the cause threat prevents the higher-order threat Either UPS (responsive) or upgraded power supply (preventive) controling the power outage threat will prevent web server failure (some of the time) Understanding threat paths is useful when planning preventive controls. Dr Hans Georg Schaathun Threats, Threat Agents, and Vulnerabilities Autumn 2010 Week 5 10 / 46 Dr Hans Georg Schaathun Threats, Threat Agents, and Vulnerabilities Autumn 2010 Week 5 11 / 46

3 and Impacts Examples Approach Brain Storm from all Directions Use different approaches and thought processes to cover as many threats as possible. Port Scanning Attacks (root threat) fascilitates break-in attacks (secondary threat) Credit Card Numbers compromised (confidentiality) root threat fascilitates Impersonation Attacks (Integrity) secondary threat Virus (Integrity) root threat fascilitiates other attacks (any type) secondary threat Who are your enemies? what do they want to do? what can they do? (penetration testing) What has happened in the past? to yourself to others What is your great fears? how could it come about? What could happen? Dr Hans Georg Schaathun Threats, Threat Agents, and Vulnerabilities Autumn 2010 Week 5 12 / 46 Dr Hans Georg Schaathun Threats, Threat Agents, and Vulnerabilities Autumn 2010 Week 5 14 / 46 Approach Qualitative and Quantitative Approaches What is a threat source? Recap Quantitiative approaches (e.g. FAIR) measure and quantify issues prioritise mathematically Detail required to measure Qualititative approaches (e.g. ISO 27005) identify all problems no accurate assessment of severity If you start the quantitative approaches to early many threats will slip through Threat source or threat agent An entity with an intention and capability to cause impact Sentient adversaries potential attackers Honest users making mistakes Nature and random events There is a reason behind incidents Enemies with an objective of their own Nature and its random events Dr Hans Georg Schaathun Threats, Threat Agents, and Vulnerabilities Autumn 2010 Week 5 15 / 46 Dr Hans Georg Schaathun Threats, Threat Agents, and Vulnerabilities Autumn 2010 Week 5 17 / 46

4 WikiLeaks from Afghanistan Why do we identify threat sources? WikiLeaks Why do we need to identify the threat sources? When is the threat realised? how often Understand the nature of the threat resourceful attackers or amateurs? How will a preliminary attack be exploited? blackmail? slander? further attacks? military, classified documents on the war in Afghanistan late July 2010 lifted from the US military leaks from Iraq October 2010 Dr Hans Georg Schaathun Threats, Threat Agents, and Vulnerabilities Autumn 2010 Week 5 18 / 46 Dr Hans Georg Schaathun Threats, Threat Agents, and Vulnerabilities Autumn 2010 Week 5 20 / 46 WikiLeaks from Afghanistan WikiLeaks from Afghanistan Assets Relevant Confidential information former informants potential targets of retribution future operations allowing counter-operations previous operations leading to impact on goodwill and reputation Taliban and other insurgent organisation military use of the information Freedom of Information Movements champions of the public right to information Anti-War Movements aiming to swing the public opinion about the war Other military and political enemies of the state damage the state s military capability Who is the actual threat source? Dr Hans Georg Schaathun Threats, Threat Agents, and Vulnerabilities Autumn 2010 Week 5 21 / 46 Dr Hans Georg Schaathun Threats, Threat Agents, and Vulnerabilities Autumn 2010 Week 5 22 / 46

5 WikiLeaks from Afghanistan Vulnerabilities Staff with an agenda Extensive records in compact format walk out with an encyclopedia on a keyring Targets industrial control systems specific types of computers from Siemens Malware, able to override the controls Chemical plants Power plants Power grids Exploits four previously unknown vulnerabilities Dr Hans Georg Schaathun Threats, Threat Agents, and Vulnerabilities Autumn 2010 Week 5 23 / 46 Dr Hans Georg Schaathun Threats, Threat Agents, and Vulnerabilities Autumn 2010 Week 5 25 / 46 What is a worm? The attack on Iran Malware Malicious Software Standalone programs do not modify other programs (as viruses do) Usually spreads over the network network congestion is a common impact 60% of infections in Iran The Nuclear Plant in Bushehr compromised Iran will not reveal the extent of damage seems to have delayed the opening of the plant Dr Hans Georg Schaathun Threats, Threat Agents, and Vulnerabilities Autumn 2010 Week 5 26 / 46 Dr Hans Georg Schaathun Threats, Threat Agents, and Vulnerabilities Autumn 2010 Week 5 27 / 46

6 Who is the attack source? A viewpoint from Law Enforcement This would require a lot of resources on the level of a nation state. Gadi Evron, Israeli cybersecurity strategist The known enemies preventing nuclear development USA and Israel China as a testrun of new cyberwarfare technology Are there private organisations with the capability? We do not know what the source is Dr. David Benichou at WIFS 09 in London French juge investigatoire Special advisor to the Minstry of Justice PhD in Computer Sciences Model based on field experience more than 1000 cases Qualitative rather than quantitative Real-life, rather than academic view Dr Hans Georg Schaathun Threats, Threat Agents, and Vulnerabilities Autumn 2010 Week 5 28 / 46 Dr Hans Georg Schaathun Threats, Threat Agents, and Vulnerabilities Autumn 2010 Week 5 30 / 46 The seven families of cybercrime Seven classes of threat sources (graphics c David Bénichou) The seven families of cybercrime Empirical distribution of attack profiles kiddies hackers avengers LP cyberterro bandits spies Adolescent amateurs script kiddies hackers Amateurs with a goal avengers legal persons Resourceful professionals Organised crime Terrorists Spies population dangerousness Dr Hans Georg Schaathun Threats, Threat Agents, and Vulnerabilities Autumn 2010 Week 5 31 / 46 Dr Hans Georg Schaathun Threats, Threat Agents, and Vulnerabilities Autumn 2010 Week 5 32 / 46

7 The big majority Masked Avengers Script Kiddies Hackers Clueless amateurs Use scripts created by others Trying hacks for fun No understanding of the techniques used Technically adept Obscure motivations challenge, learning, experience Grown up individuals with a score to settle Obvious motivation relatively easy to unmask e.g. a disgruntled employee with a desire to punish the company e.g. Mr/Mrs average dragging an ex-lover down in the mud Dr Hans Georg Schaathun Threats, Threat Agents, and Vulnerabilities Autumn 2010 Week 5 33 / 46 Dr Hans Georg Schaathun Threats, Threat Agents, and Vulnerabilities Autumn 2010 Week 5 34 / 46 Legal Persons The big and resourceful Spies, organised crime, and terrorists Financial motives unfair competition trade secrets Highly skilled Easy to identify the motive is a give-away Different motivations political (spies) financial (organised crime) ideological (terrorists) All are resourceful, with solid backing few have resources on this scale the resources make serious impact possible Dr Hans Georg Schaathun Threats, Threat Agents, and Vulnerabilities Autumn 2010 Week 5 35 / 46 Dr Hans Georg Schaathun Threats, Threat Agents, and Vulnerabilities Autumn 2010 Week 5 36 / 46

8 The rare and serious agents Risk Analysis Terrorists Spies Organised Crime Backed with considerable resources money, manpower, information, backup Different objectives Ideology Terrorists Politics Spies Money Organised Crime Similar dedication professionalism and clear objectives How does each family affect your risk analysis? Script Kiddies Hackers Avengers Legal Persons Terrorists Spies Organised Crime Dr Hans Georg Schaathun Threats, Threat Agents, and Vulnerabilities Autumn 2010 Week 5 37 / 46 Dr Hans Georg Schaathun Threats, Threat Agents, and Vulnerabilities Autumn 2010 Week 5 38 / 46 Vulnerability Identification Vulnerability Identification ISO 27005:2008 Vulnerability Identification Areas of vulnerabilities ISO 27005:2008 Input lists of known threats assets existing controls Output a list of vulnerabilities in relation to assets, threats, and controls a list of vulnerabilities not related to any identified threat Action Identify vulnerabilities that could be exploited by the threats Organisation Processes and procedures Management routines Personnel Physical environment Information system configuration Hardware, software or communications equipment Dependence on external parties Dr Hans Georg Schaathun Threats, Threat Agents, and Vulnerabilities Autumn 2010 Week 5 40 / 46 Dr Hans Georg Schaathun Threats, Threat Agents, and Vulnerabilities Autumn 2010 Week 5 41 / 46

9 Vulnerability Identification Vulnerabilities and Known Threats Vulnerability Identification Vulnerabilities without Threat For each threat identified Which assets are under threat? What vulnerabilities can it exploit How? What could be the attack What controls do we have? Resort the list, listing each vulnerability with all its associated threats Is there a problem? No risk at the moment Threat is needed to exploit it Yet, should be recognised and monitored it may change over time we may have forgotten a threat Dr Hans Georg Schaathun Threats, Threat Agents, and Vulnerabilities Autumn 2010 Week 5 42 / 46 Dr Hans Georg Schaathun Threats, Threat Agents, and Vulnerabilities Autumn 2010 Week 5 43 / 46 Exercise 5 Closure Summary Closure Review NIST SP Rev2/sp rev2-final.pdf Prepare a list, with short explanations, of the main types of controls. Additionally (not to be handed in) 1 Be ready to discuss the different types of information security controls in class. 2 read the following week s exercise Protecting the Forest Effective risk analysis requires structured review of threats vulnerabilities For threats we need to understand source cause effect No immediate risk from threats without vulnerabilites vulnerabilities without threat ISO provides the framework Dr Hans Georg Schaathun Threats, Threat Agents, and Vulnerabilities Autumn 2010 Week 5 45 / 46 Dr Hans Georg Schaathun Threats, Threat Agents, and Vulnerabilities Autumn 2010 Week 5 46 / 46