Presentation is loading. Please wait.

Presentation is loading. Please wait.

Threats and vulnerabilities

Published byBeryl Dixon Modified over 8 years ago

Similar presentations

Presentation on theme: "Threats and vulnerabilities"— Presentation transcript:

1 Threats and vulnerabilities
Chapter 6 Threats and vulnerabilities

2 Overview Threat model Agents Actions Vulnerabilities

3 Introduction Threats Goal Definition NIST definition
Capabilities, intentions and attack methods of adversaries to exploit or cause harm to assets NIST definition Any circumstance or event with the potential to adversely impact organizational operations and assets, individuals, other organizations or the nation through an information system via unauthorized access, destruction, disclosure or modification of information, and/ or denial of service Goal Once assets are identified, identify threats for optimal information security investments No defense necessary if no harm anticipated

4 Threat model Definition To understand threats
Interactions between relevant agents, actions and assets constitute the threat model facing an organization Threats arise from motivated people (agents) taking specific actions to exploit assets To understand threats Understand relevant agents and their motivations Understand likely assets to be affected Understand likely actions against each asset

5 Threat model

6 Threat agents Definition Three types
The individual, organization, or group that originates a particular threat action Three types Simple classification into MECE (mutually exclusive, collectively exhaustive) categories External Internal Partners

7 Evolution Trends Internal agents dropped dramatically
External agents increased significantly

8 External agents Definition Categories
Agents outside the organization, with no direct links to the organization itself Categories Activist groups Auditors Competitors Customers Nature Former employees Government Cybercrime

9 External agents (contd.)
Activist groups Mix political activism with cybersecurity violations E.g. Anonymous, Lulzsec Governments Chinese APT attacks Mandiant report Syrian attackers reported Stuxnet

10 External agents (contd.)
Cybercrime Nigerian 419 scam Organized crime Carder planet

11 Internal agents Definition Categories
People linked to the organization, often as employees Categories Internal auditors Help desk Upper management Human resources Janitorial staff Software developers System administrators

12 Internal agents (contd.)
Auditors Can cause damage in the name of compliance Upper management Lack of awareness of information security concerns May be reversing in the opposite direction Often weakest link Unaware of security Force exemptions from policy

13 Partners Definition Categories
Third parties sharing a business relationship with the organization Categories Cloud service providers Hardware and software vendors Contractors

14 Threat actions Definition New actions emerging all the time
Activity performed by the agent in order to affect the confidentiality, integrity, or availability of the asset New actions emerging all the time Simple categories Malware Hacking Social engineering Physical Error Environment

15 Threat actions (contd.)
Malware Malicious software Viruses Worms Bots Hacking Brute force Poor choice of passwords Default passwords Cross-site scripting Most important threat action Eric Grosse, VP, Security Google, NSF meeting 2012 SQL injection Misuse of privileges

16 Threat actions (contd.)
Social engineering Unapproved software Phishing Pre-texting Physical Unauthorized access Theft Error Mis-configuration Environment Power and equipment outages Natural events

17 Vulnerabilities Definition Relationship with threats
Weaknesses in information systems that gives threats the opportunity to compromise assets Relationship with threats Vulnerability is not a risk without a threat exploiting it Threat is not a risk without a vulnerability to be exploited

18 Vulnerability trends Source:
Kuhn and Johnson, Vulnerability trends: measuring progress, IEEE IT Pro, 12(4), pg , 2010

19 Vulnerability categories
Operating system vulnerabilities Patch tuesday Application vulnerabilities OWASP top 25 list

20 Example case – Gozi trojan
Installed on over 1 million computers worldwide Including over 40,000 in the US Creators Nikita Kuzmin of Russia Deniss Calovskis of Latvia Mihai Paunescu of Romania Method Virus installed silently since 2005 No malicious activity, hence undetected Customers paid Gozi team Got a set of “victims”

21 Hands-on activity OpenVAS Open vulnerability assessment scanner

22 Design case Help desk

23 Gozi case (contd.) Method (contd.) Prosecuted on Jan 23, 2013
Gozi team suggested financial firm to target Based on banking preferences of “victims” E.g. most commonly used bank Gozi team wrote customized software to intercept bank traffic and harvest credentials Prosecuted on Jan 23, 2013 If convicted, could be imprisoned for 60 years each

Download ppt "Threats and vulnerabilities"

Similar presentations

OCTAVESM Process 4 Create Threat Profiles

OCTAVESM Process 4 Create Threat Profiles
OSG Computer Security Plans Irwin Gaines and Don Petravick 17-May-2006.

OSG Computer Security Plans Irwin Gaines and Don Petravick 17-May-2006.
Lecture 1: Overview modified from slides of Lawrie Brown.

Lecture 1: Overview modified from slides of Lawrie Brown.
Course ILT Security overview Unit objectives Discuss network security Discuss security threat trends and their ramifications Determine the factors involved.

Course ILT Security overview Unit objectives Discuss network security Discuss security threat trends and their ramifications Determine the factors involved.
Security+ Guide to Network Security Fundamentals

Security+ Guide to Network Security Fundamentals
Note1 (Intr1) Security Problems in Computing. Overview of Computer Security2 Outline Characteristics of computer intrusions –Terminology, Types Security.

Note1 (Intr1) Security Problems in Computing. Overview of Computer Security2 Outline Characteristics of computer intrusions –Terminology, Types Security.
1 An Overview of Computer Security computer security.

1 An Overview of Computer Security computer security.
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.

Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
IT Security Readings A summary of Management's Role in Information Security in a Cyber Economy and The Myth of Secure Computing.

IT Security Readings A summary of Management's Role in Information Security in a Cyber Economy and The Myth of Secure Computing.
CYBER CRIME AND SECURITY TRENDS

CYBER CRIME AND SECURITY TRENDS
1 Title ECI: Anatomy of a Cyber Investigation Who Are the Actors.

1 Title ECI: Anatomy of a Cyber Investigation Who Are the Actors.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.
Did You Hear That Alarm? The impacts of hitting the information security snooze button.

Did You Hear That Alarm? The impacts of hitting the information security snooze button.
Information Systems Security Computer System Life Cycle Security.

Information Systems Security Computer System Life Cycle Security.
1.Too many users 2.Technical factors 3.Organizational factors 4.Environmental factors 5.Poor management decisions Which of the following is not a source.

1.Too many users 2.Technical factors 3.Organizational factors 4.Environmental factors 5.Poor management decisions Which of the following is not a source.
Computer Security “Measures and controls that ensure confidentiality, integrity, and availability of IS assets including hardware, software, firmware,

Computer Security “Measures and controls that ensure confidentiality, integrity, and availability of IS assets including hardware, software, firmware,
Module 6 – Part 1 An Overview of Information Systems Audit 1.

Module 6 – Part 1 An Overview of Information Systems Audit 1.
7 Information Security.

7 Information Security.

Similar presentations

Ads by Google