4: UNDERSTANDING THREAT AND ITS RELATION TO VULNERABILITIES
INTRODUCTION
Threats, along with assets, vulnerabilities, and safeguards, are the essential elements of risk management in an information system. Threat represents one of the four major elements of the risk assessment process. Understanding and considering the full spectrum of both human and environmental threat is pivotal to effectively implementing and managing a cost-effective security program for information resources. Too often, analysts employ simplistic anecdotal threat concepts or merely use broad, ill-defined labels such as “hackers” to define the threat environment. Either approach will negatively impact the effectiveness of a security program.
The anecdotal method for assessing threat is to attempt to identify and stay current of the threat through news articles, stories, or casual observations. This unstructured approach assumes the security analyst has an omniscient perspective and the stories and examples used to justify the security requirements are fully representative of the holistic threat environment. Even if these circumstances were achievable, this security approach is condemned to being purely retrospective and thus reactionary. Assuming you can obtain a comprehensive report about attacks and exploits, you must mitigate the risks in your systems only after learning about them from others. If your information resources are the first to be exploited, your peers will be praying they can quickly learn from you how to thwart the attack before their information resources are affected.
Applying labels to threats and then attempting to anticipate their tactics is another time-honored approach that has proven ineffective. The most popular technique is to start by assuming that your information resources are the target of external, hostile attackers with significant computer systems experience—often called the hacker. There is an entire chapter that could be written on the evolution of this word and it application, but it would not be instructive here.
Using this stereotyped attacker as a model, the analyst seeks to simulate, or at least anticipate, the actions of a person with the motivation, intent, and skills of this phantom menace. The analyst then seeks to assess the security safeguards of the system under review by tools and techniques designed to emulate the activities of the assumed assailant. When vulnerabilities are identified, safeguards to mitigate the risk are assessed and implemented. This is the most prevalent form of penetration-and-patch security as discussed in another chapter, so suffice it to say that relying on this approach for a security program denies the larger realities of the threat environment. To accurately define and manage security in an operational environment, a structured methodology to categorize and assess threat is required.
THREAT DEFINED
Threat is any person, event, or circumstance with the potential to cause harm to an asset. Threats take advantage of system vulnerabilities, that is, a weakness in a component that could be exploited to violate the system’s security policy. Threats have an unacceptable impact that can be severe enough to degrade an essential mission capability or system causing an unacceptable result. The security environment attempts to deter threats by employing processes, practices, procedures, safeguards, or consequences for actions to discourage a person who intends to exploit an organizational asset.
Threats are either environmental, that is, created by a potential natural disaster such as a tornado, or man-made (Figure 4.1). Within the second category, there are internal or external threats. Agents that are not directly employed by the target organization create external threats, although agents within the organization are the cause of internal threats. Man-made internal threats fall into two categories—hostile or nonhostile. Hostile threats are malicious and are intentionally perpetrated to do harm to the organization. They may be either structured or nonstructured in nature. Nonhostile threats from agents of the organization may be structured or nonstructured as well. Mistakes or errors of omission are examples of nonhostile threats.
Threat factors are a product of historical data and trend projections. Statistical and expert analysis can be used to provide default threat factor ratings. The ultimate purpose in threat determination is to identify and rank those threats that apply specifically to the assets of an organization. To develop this material, it is vital to gather historical and statistical data to be able to accurately quantify the predictive models.
Threat measurement is a relative calculation of the magnitude of a threat. Considerations must be taken into account for system connectivity, motivation, and capability of the threat and the occurrence determination for a class of threat. These threat measurement factors create a threat profile that is a measurement of the relative motivation and capability of a threat. Threat motivation is the degree a threat wants to cause harm to the organization. Capability measures the knowledge about the use of the information infrastructure and systems of an organization that a threat has.
A novice attacker is not the only threat. In general terms, computer and information systems attackers can be grouped into broad categories based on their location, intent, and skills. The most focused is often identified as the foreign intelligence service operative. These are skilled, aggressive adversaries who attempt to exploit the information infrastructure for intelligence purposes. They seek to identify members, evaluate their level of access to information of intelligence value, and even recruit their services, all in cyberspace. There are significant advantages to doing business this way, such as easily concealing one’s identity and gaining information rapidly. The cyberterrorist attack goes beyond computer intrusions, denials of service, or defacing of Web pages to ultimately target actual destruction of data or systems.
Use of the Internet and other information systems gives terrorist groups a global command and control communications capability. Such groups have limited resources and electronic intrusion can help them achieve their objectives at minimal cost, so it is expected that cyber-terrorism will continue to be a threat.
Organized crime also is used to represent a major threat whose goal is to target computer systems to commit fraud, acquire and exploit proprietary information, and steal funds. Criminal organizations like those in the former Soviet Union use electronic intrusion to hinder police investigations, collect intelligence, destroy or alter data on investigations, and monitor the activities of informants. As these groups develop and acquire more capabilities, the threat stands as one of the most likely to see growth in the coming decade. Organized crime attacks are likely to exploit information for financial gain or to obtain access to sensitive information that is useful in the conduct of criminal enterprise. Critical infrastructure attacks do not fall within the operational purview of organized crime; however, the potential for organized crime entities to act as domestic proxies for terrorists or rogue nation states is a possibility to consider.
Historically, hackers and those seeking opportunities out of curiosity were motivated primarily by learning the intricacies of computer systems and network operations. In most cases, they were unlikely to engage in serious criminal activities. In contrast, today’s hackers appear to be motivated by greed, revenge, or politics and their actions have become more malicious. They are more likely to aim their attacks not just at individuals, but also at enterprise information systems.
The malicious insider, who has legitimate access to proprietary information and mission-critical systems, poses a significant threat because of having trusted status and familiarity with security practices. When an insider betrays his trust, he has a much greater opportunity and ability to do harm than someone on the outside. Moreover, he is less likely to be detected. The malicious insider, motivated by greed, revenge, or even political ideology, can act alone or with outsiders.
Although the insider threat is problematic, a sound security program will implement capabilities to identify behaviors and activities that represent possible insider exploitation of information resources. The activities of malicious insiders can often be identified through the analysis of access control and log files. They can also be detected through the correlation of both digital and physical evidence. In any event, insiders must be considered and assessed at least on par with the potential outsider threat. It is not safe to assume insiders are inherently more trustworthy than outsiders.
When attempting to analyze and measure threat, one should consider access. Access is the amount of physical, logical, or electronic presence a threat could have to the organization. Another factor to consider when measuring threat is the probability of occurrence. This takes into account the number of incidents attributable to the threat classes and the population size of the sample. Threat measurement is the second component of risk, after asset valuation, and is equal to access, threat profile, and occurrence measurement.
Vulnerabilities are those specific weaknesses that can be exploited by these threats to impact an asset (Table 4.1). System and network hardware, operating systems, applications, protocols, connectivity, physical environment, and current safeguards are all potential vulnerabilities.
Exposure determines whether a vulnerability may be exploited via physical or electronic exposure to the vulnerability. Physical exposure is a binary value that determines if the vulnerability can be exploited via physical access to the system. Electronic exposure is a binary value that determines if the vulnerability can be exploited via electronic access to the system.
A vulnerability subcomponent is a measurement of the severity of the vulnerability by measuring potential damage caused by exploitation, relative age as a measurement of when the vulnerability was discovered, and area of impact to operations, which is binary values used to determine the operational concerns impacted by the vulnerability.
Vulnerability is the third component of risk and is equal to exposure, vulnerability ranking, and subcomponent. Risk to an organization is the combination of a threat exploiting a vulnerability, which could negatively impact an asset. It is based on threat, vulnerability, and asset measurements (Figure 4.2). Risk analysis must determine which threats can exploit which vulnerabilities against specific assets. For the risk management analysis to be accurate, threats must be juxtaposed against specific vulnerabilities they can exploit. The mapping of threat and vulnerability is often called threat-vulnerability pairing and is an important part of the risk management process.
Although progress is being made to secure wireless networks, rushing to deploy wireless systems poses a major threat of information theft. In addition, the ongoing underground movement to tap into hotspots, including those maintained by businesses, opens up the potential for service and bandwidth shoplifting.
Security systems are evolving from after-the-fact detection software into platforms that focus on prevention of intrusions before they occur. Companies should consider deploying console software that correlates data across all parts of the network so they can determine if an attack against one part of the infrastructure is related to a problem on another.
Instant messaging and other peer-topeer programs create vulnerabilities in the network’s defenses, particularly because many users are deploying the instant messaging software on their own. Securing instant messaging by at least setting usage policies is a practical first step. Protecting information assets, whether proprietary data or patents, should be a security priority for all organizations in order to prevent corporate espionage. Business and accounting scandals are indicative that every organization should improve the trustworthiness of its transactions and provide audit trails.
ANALYZING THREAT
A vital component of a proactive security plan is an analysis and understanding of the threats facing an organization. Unfortunately, the dialogue regarding IT threats is riddled with invocations of security clearance requirements, sound-byte rhetoric, and the lack of common threat categorization. As a result, the private sector is expected to make risk management decisions in the absence of a valid threat context. Threat assessments must be conducted to complement vulnerability assessments and enable organizations to make educated decisions to guide their security programs and spending. The threat of a largescale critical infrastructure attack in today’s environment can be characterized as those with the intent lack the capability and those with the capability lack the intent, both of which are subject to change.
To make responsible risk management decisions, it is important to avoid overreaction and also important not to systematically disregard the full spectrum of threats for lack of empirical evidence.
Any organization is likely to encounter a subset of threat agents responsible for nearly all the attempted or successful intrusions against the organization’s infrastructures. These threat agents include insiders, industrial espionage, organized crime, and structured and unstructured hackers. The insider threat remains one of the most pervasive in the modern IT environment. Insider activity may be missed as organizations devote attention to monitoring their external environment and insiders become more adept at hiding their activities. There is also the concern about the use of insider placement as a penetration tactic. Organized threat agents, unable to penetrate external security mechanisms may seek to place individuals within the organization as temporary workers, employees, or even as system administrators. It is important that a security program implements safeguards to protect against insider threat. Such safeguards would include background checks for employees with access to critical systems, a recurring training and awareness program to help employees identify and report potential insider incidents, and implementation of internal security controls and network monitoring.
Much has been written regarding the threat of industrial espionage conducted by both competitors and state-sponsored intelligence organizations. Although industrial espionage is a continuing threat, it is one that many companies are familiar with and most attacks impact the confidentiality, not the availability, of the information. The sensitivity of business information will drive the safeguards required to protect its confidentiality. These elements are defined within the risk management function and the resultant decisions must be based on empirical data gathered when analyzing threat potential.
Routinely, organizations are most likely to face threats from both structured and unstructured attackers. Scanning and probing of networks occurs routinely against specifically targeted and random systems.
The demonstration of appropriate due diligence provides protection against the emerging threat of legal liability associated with IT security policy. Courts are taking actions to shut down IT infrastructures or hold organizations liable for their information security negligence. One way to validate efforts is through the use of independent threat and vulnerability assessment that documents a security profile and establishes recommendations for mitigating vulnerabilities or safeguarding from threats common to a particular industry.
ASSESSING PHYSICAL THREATS
The reality of physical threats has been driven home by the events of September 11, 2001. When evaluating threats to an IT environment, it is important to recognize the viability of the physical threat and to evaluate the impact that a physical event would have on the continuity of business operations. Physical threats may manifest themselves in the wide range of attacks, from bomb threats, causing the evacuation of a key facility, to large conventional truck bombs. Physical attacks may be launched with the intention of impacting the infrastructure as well as the general population.
In today’s threat environment, a threat assessment methodology is a vital component of an organization’s security program. This methodology should account for a wide variety of threats, including physical threats, and should be based on realistic threat information projecting future threats while also accounting for previous experiences, incidents, and documented attacks within an organization’s peer group. Threat assessments should contain a description of the threat agent, probability of that agent conducting an attack against the target, tools the agent could use to attack the target, level of access the threat agent could obtain to use the tool against the target, and potential impact an attack would have on operations. The methodology also should identify potential safeguards and the reduction in exposure achieved through the implementation of the safeguard. Every attempt should be made to quantify the results of the threat assessment. Items emerge from threat assessments that quantify exposure, especially in terms of cost, so management can immediately relate to the potential exposure and the benefits of implementing a proposed safeguard.
As businesses venture into electronic commerce, the need for secure networks is greater than ever before. Whole sectors of society such as banking and telecommunications depend on the availability of reliable and secure networks. Awareness of the importance of information security continues to grow with new threats from hackers, organized crime, and terrorists exploiting information for their own intent. Many organizations have suffered significant losses as a result of the threat. Reflecting this fact is the increasing size of the computer security marketplace and the importance governments are beginning to place on protecting information infrastructures.
Connectivity is increasing at a rate often beyond the capacity to implement security controls. Market pressures on hardware and software vendors reduce the introduction of security features and testing prior to product release. Retrofitting security into existing systems and applications is difficult and expensive, with serious impact on operations.
A fundamental problem exists in the implementation of security controls in that very few organizations invest in proper threat assessment before implementing controls. Organizations need to qualify specific threats to evaluate risks accurately. Some threats may be overlooked while resources are applied to threats that have minimal impact. Security is the identification and management of risk, yet technology is changing faster than traditional risk assessment models can adapt. Organizations are increasing the size of their networks by adding more systems and system complexity. Suppliers, contractors, clients, and customers are increasingly integrated into a seamless network. The inherently insecure Internet and telecommunications infrastructure is the common means of providing connections.
These information architectures create information infrastructures that cross both organizational and national boundaries where no single entity has control or responsibility for security. Information infrastructures include telecommunications, healthcare, finance, government and defense, oil and gas, power generation, transportation, and the Internet.
Identification and evaluation of threats is still a complicated process. It involves the analysis of methods, access, skill levels, and costs used to exploit a given weakness within a system. Threats to information assets are not limited to technology alone. Physical controls, business and operational processes, telecommunications, and employee awareness all play vital roles in protecting from threat. Threats include accidents, errors of omission, and environmental factors such as natural disasters. Threats may be either malicious, in that someone purposely attacks a system, or not malicious, as in the case of a tornado destroying an organization’s information hardware.
INFRASTRUCTURE THREAT ISSUES
In large networks, there are continuous changes in the number and type of systems, connections, and software. Information and physical assets, potential safeguards, and business requirements are always evolving. System vulnerabilities and the threats to them must be understood before policy and risk management decisions can be implemented. Threat assessments attempt to determine what threats exist, their likelihood, and the consequences or potential loss resulting from an attack.
Infrastructures are basic structural foundations for a country. Critical infrastructures include commerce, national security, telecommunications, the Internet, transportation, emergency services, oil and gas, power generation and distribution, healthcare, and finance. Each of these infrastructures has an information component that uses and is reliant on computers and networks to provide services (Figure 4.3). The information component of this infrastructure encompasses many systems connected in different networks owned by government agencies, commercial organizations, and financial institutions. Because of the highly connected nature of networks, unrelated networks, endpoints, and systems have potential access points into the systems within these infrastructures, opening them up to threat.
Infrastructures are ultimately interdependent. The generation of electrical power is dependent on the availability of oil and gas and a transport system thereof. Emergency response systems rely heavily on telecommunications. The size, complexity, distribution, and rate of change in the information infrastructures create security vulnerabilities that can lead to threats. Vulnerabilities at a lower functional level of a system undermine safeguards at higher levels. Basic password controls at the application level can be undermined within the network protocol or operating system. Enciyption schemes in the network protocols can be attacked at the operating system level and in a widely distributed network may expose information or controls in other computer systems to the possibility of threats.
A critical challenge in securing systems is the ability to identify emerging threats. The speed at which new technology is introduced creates a rapidly moving target for threat assessments. Each new technology requires high-level technical expertise to analyze. By the time threat vulnerabilities are identified, technology has changed again. Confidentiality, fear of publicity, or incomplete information makes analysis difficult. An accurate prediction of exactly when, how, and by whom a potential threat will manifest itself is difficult. However, a structured assessment of the threat as outlined here provides a concise way to map the threat to specific categories for analysis and assessment.
Historically, information security threats have targeted individual systems. The motives for these attacks varied, but the methods and goals were limited to the computer system as the primary target. A fundamental change is occurring in information security with increasing automation and globalization of information. Attacks against infrastructure are of special importance because of the ramifications that result from the inability of that infrastructure to perform its function. The interdependence of these critical infrastructures multiplies the threat potential. When considering infrastructure vulnerabilities, threats to individual systems and the infrastructure itself must be accounted for. Infrastructure attacks typically require a more coordinated effort and provide better data points for indicator and warning analysis.
There are two major types of targeted attacks in threat assessments. The systems attack is an attack targeted against individual systems or control centers that are not usually detrimental to the overall operation of a whole infrastructure or organization. An infrastructure attack, on the other hand, is designed to significantly compromise the function of an entire infrastructure rather than individual components.
A threat assessment looks at the potential and actual damage from an attack. A successful system attack is an intrusion in which the basic integrity of a system is compromised. This compromise may lead to the loss of confidentiality, data integrity, or system resource availability. This attack does not target the infrastructure in which the computer operates.
A successful infrastructure attack is capable of sustaining compromise over a longer period of time. This attack usually targets recovery systems as well. Due to the interdependence of various infrastructures, an attack on one infrastructure may cascade into failures within other infrastructures. This threat could easily result in a national security emergency.
A limited infrastructure attack is an attack against an infrastructure that causes significant damage and cost, but is recovered without major disruption and does not affect other infrastructures. A limited infrastructure attack would mimic a major natural disaster such as a power outage caused by a hurricane.
Infrastructure attacks require precise targeting and successful, coordinated attacks against multiple system and control points. Attacks may also require the compromise of many levels within the infrastructure architecture such as protocols, software applications, and hardware itself, along with recovery systems. Successful attacks are not easy to accomplish. The success of an attack depends on multiple enabling events, significant planning, and technical capability. Despite the difficulty of an infrastructure attack, it is within the realm of possibility of those groups whose mission is to wreak economic havoc or promulgate terror.
Isolated attacks or accidents can be extremely costly to an organization. In the case of an infrastructure attack, losses can be on the magnitude of national significance. Implementing safeguards within networks and systems is essential to reduce vulnerability to threat. Threat detection will reduce the number of potential attacks. Threat assessments identify threats based on feasibility and indicators of vulnerability. Predicting, detecting, and monitoring potential threats to business and national security are critical.
Four elements are required for a threat to exist—agent, intent, target, and mechanism. There must be an agent with intent to carry out an attack. There must also be a target and mechanism whereby the agent can exploit vulnerability within a system. When these elements are present, there is a strong feasibility of attack. The feasibility for a threat to exist is based on current technology, methodology, and skill of the attacking agent. Extensible technologies have enabled threat feasibility involving denial-of-service, spoofing, or covert channel attacks. Methodology is a technique, such as the use of password guessing algorithms, used to perpetrate a threat. Technical skill and knowledge of systems, processes, and practices is required to carry out the threat.
Identifying threat feasibility is the first step in threat assessment. Application of this process yields a significant number of potential threats, many of which will never be exploited. Therefore, further analysis is required to refine the likelihood of a threat actually occurring. More critical analysis is required in order that valuable counterattack resources are used most effectively and efficiently.
In threat assessment, feasibility is refined to detect the presence of specific indicators of potential threat. A prerequisite of indicators is intent by the agent of the threat. Intent helps to qualify the potential effort, skill, and expense the attacker is willing to invest in exploiting system vulnerability. Indicators are specific actions on the part of individuals or groups. An example of a threat indicator is the communication of specific threats in an affinity group that meets in cyberspace. The methodology used to exploit vulnerabilities could be published on a Web site. If security analysts note these indicators, they create a higher potential that the feasibility will be exploited and therefore additional safeguards may be needed.
When there are indications of targeting against an information asset, threats that have not actually occurred are potential threats and those demonstrated to be feasible are active threats. When implementing security measures, considering the efficient expenditure of security resources, the threats that are directly applicable to the vulnerable information asset should receive the highest priority.
As the world society becomes more dependent on data processing, information generation, and communication, the potential for significant loss increases if these systems are interrupted. With the increasing complexity of technology and connectivity, new threats are appearing that pose risks to information infrastructures. This extended threat model is designed to help identify potential threats in a more structured manner. Furthermore, these threats are prioritized based on specific information about the effort required to exploit them and indicators of the likelihood that they will be exploited.
The design and application of a threat assessment model requires thoughtful consideration of threat, risk, and vulnerability, taking into account the agent, intent, potential target, and mechanism of attack. Threat must be recognized as a continual process that requires ongoing data collection and analysis to identify new and changing threats effectively.