Information Security Concepts Confidentiality, Integrity, Availability – CIA Triad Confidentiality – Seeks to prevent unauthorized read access to data. Data must only be accessible to users who have the clearance, formal access approval and the need to know. Integrity – Seeks to prevent unauthorized modification of information. Data Integrity – Protect information from modification System Integrity – Protect system from modification Availability – Ensures information in available when needed. DoS (Denial of Service) is an attack on availability. Our mission is to balance the needs of confidentiality, integrity and availability and make tradeoffs when needed. Disclosure, Alteration and Destruction – DAD Triad – opposite of CIA Disclosure – unauthorized release of information Alteration – unauthorized modification of data Destruction – making systems or data unavailable Identity and Authentication, Authorization, and Accountability (AAA) Identity and Authentication – Proving who you claim you are (authenticate) by providing a piece of information or an object that only you possess – such as a password. Authorization – Describes the actions you can perform on a system once you have been identified and authenticated. Accountability – Holds users accountable for their actions. Can be done by logging and analyzing audit data. Non-repudiation A user cannot deny (repudiate) having performed a transaction. It requires both authentication and Integrity to have non-repudiation. Least Privilege and need to know A user should be granted to a minimum amount of access (authorization) required to perform their jobs. Need to know is more granular than least privilege; the user must need to know that specific piece of information before accessing it. Subjects and objects Subject – Active entity on a data system. i.e. People, scripts and programs accessing data files are common subjects. Object – Passive data within a system. i.e. Documents, database tables, text files. Note – iexplore.exe is a subject while running in memory and a object on the file system Defense in depth Defense in depth aka layered defense – applies safeguards (controls – measures to reduce risk) to protect an asset. Any single security control may fail, but by deploying multiple controls you improve CIA. Due care and due diligence Due care – Doing what a reasonable person would do. ie expecting your staff to keep systems patched Due diligence – Management of due care. ie verifying that your staff has patched their system Gross negligence – Opposite of due care. If you cannot demonstrate due care, you are grossly negligent Compliance with laws and regulation Complying with laws and regulation is a top information security management priority. Major legal systems Civil Law (Legal System) – The system of civil law leverages codified laws or statutes to determine what is considered with the bounds of law. Judicial rulings cary less weight under common law. Common Law – Legal system used in US, Canada, UK and most former British Colonies. Common law places significant emphasis on particular cases and judicial precedents as determinants of laws. Judicial rulings can sometimes supersede statutes and laws created by the legislative body. Religious Law – Religious doctrine or interpretations serves as a source of legal understanding and statutes. Islam serves as the most common source for religious legal systems. Sharia is the term used for Islamic law and it uses the Qur’an and Hadith as its foundation. Customary Law – Customary law refers to those customs or practices that are so commonly accepted by a group that the custom is treated as law. In Information security, the concept of best practices is closely associated with customary law. Example: An organization that maintains sensitive data but has no specific legal requirements regarding how the data must be protected. The data is later compromised. If it were discovered that the company did not employ firewalls, AV, and used outdated systems to house the data, many would believe the organization violated perhaps not a legal requirement but accepted practices by not employing customary practices associated with safeguarding sensitive data. Criminal, Civil, and Administrative Law Within Common law there are various branches of law including criminal, civil and administrative law. Criminal law Society is the victim. The goal of criminal law is to promote and maintain and orderly and law abiding citizenry. In order to convict someone accused of criminal act, the crime must be proved beyond any any reasonable doubt. Once proven the punishment will potentially include incarceration, financial penalties or in some jurisdiction, death. Civil law Aka Tort law deals with injury, resulting from someone violating their responsibility to provide duty of care. An individual, group, organization is the victim and concerns most commonly private parties where punishment is focused on compensating the victim. Common types of Financial damages Statutory – Prescribed by law, awarded to victim even if the victim incurred no actual loss or injury Compensatory – Provide victim with financial reward in effort to compensate for loss of injury incurred Punitive – Awarded to attempt to discourage a particular violation where compensatory or statutory damages alone would not act as a deterrent Administrative Law Aka regulatory law enacted by government agencies. Government mandated compliance measures are administrative laws. Examples are FCC regulations, HIPAA security mandates, FDA regulations, FAA Regulations. Liability Questions of liability often turn into questions regarding potential negligence. The Prudent Man Rule is applied to determine actions or inactions constitute negligence. Due Care Minimum standard of protection that business stakeholders must attempt to achieve. The Prudent Man Rule requires that an organization engage in business practices that a prudent, right thinking, person would consider appropriate. Businesses should align themselves with best practices appropriate to their industry as best practices today may become minimum necessary required by standard of due care. Due Diligence Due diligence is a formal process that requires and ensures an organization continue to scrutinize their own practices in order to meet or exceed requirements for protection of assets and stakeholders. If an organization is compromised in such a way that caused significant financial harm to their customers, shareholders or public, one way to defend is to show they exercised due diligence. Legal Aspects of Investigations Evidence Information security professionals should attempt to provide all evidence during investigations. The evidence should be relevant, authentic, accurate, complete and convincing. Real Evidence – Tangible of physical objects. Hard drives, DVDs, USB or printed documents Direct Evidence – Testimony provided by witness. Circumstantial Evidence – Provides details regarding circumstances that allow for assumptions to be made regarding other types of evidence. If a person testified she directly witnessed the defendant create and distribute malware, this is direct evidence. If the forensics investigation of the defendant’s computer revealed the existence of source code for the malware, this is circumstantial evidence. Corroborative Evidence – Evidence that provides additional support for a fact that might have been called into question Hearsay Evidence – Indirect second hand evidence. Exceptions (Rule 803) include computer generated data and logs Best Evidence – Originals are preferred over copies. Conclusive tangible objects are preferred over oral testimony. Prefers evidence that meets relevant, authentic, accurate, complete and convincing as main criterias. Secondary Evidence – Copies of original documents and oral description. Exception: Rule 1001 allows logs and documents are considered original. Evidence Integrity Evidence must be reliable. Checksums such as MD5 and SHA-1 are used to ensure that no data changes occurred as a result of acquisition and analysis. Chain of custody Chain of custody requires that once evidence is acquired, full documentation be maintained regarding the who, what, when and where related to the handling of said evidence. Initials and or signatures on the chain of custody form indicate that the signers attest to the accuracy of the information concerning their role noted on the chain of custody form. Use of checksums and Chain of Custody forms by forensics investigators is best practice. Reasonable Searches If evidence was obtained illegally, then it will be inadmissible in court. Search warrants are required to search a private citizen’s property. Exception is that if the property is in plain sight or at public checkpoints. Another exception is exigent circumstances where there is an immediate threat to human life or of evidence being destroyed. Search warrants only apply to law enforcement and those who are acting under the color of law. An example is a corporate security professional seizing data in a corporate case under direct supervision of law enforcement. Entrapment and Enticement Entrapment – When a law enforcement persuades someone to commit a crime when the person otherwise had no intention to. Enticement – When a law enforcement makes conditions for commission favourable but the person is already determined to commit the crime. Computer Crime Computer systems as target – Crimes where the computer systems serve as a primary target, such as disrupting online commerce by means of Distributed Denial of Service attacks, installing malware on systems for the distribution of spam, or exploiting vulnerability on a system to leverage it to store illegal content. Computer as a tool – Crimes where the computer is a central component enabling the commission of the crime. Examples include: stealing trade secrets by compromising a database server, leveraging computers to steal cardholder data from payment systems, conducting computer based reconnaissance to target an individual for information disclose or espionage, and using computer systems for the purposes of harassment. Intellectual Property Refers to intangible property that resulted from a creative act. Trademark – Associate with marketing, a distinguishing name, logo, symbol or image. TM used for unregistered and circle R is used with registered trademark. Servicemark – Is used to brand a service – SM Patent – Provide Monopoly to the patent holder on the right to use, make, or sell an invention for a period of time in exchange for the holder’s making the invention public. Europe and US patents last 20 years. Copyright – represents a type of intellectual property that protects the form of expression in artistic, musical or literary works. A registered copyright is one that has been registered with the copyright office. Copyrights last 70 years after death of author, or 95 years after first publication if it is a product of a corporation or 120 years after creation. Software is covered by copyright First sale doctrine – Allows legitimate purchaser of copyrighted material to sell it to another person. Fair use doctrine – Allows purchaser to duplicate copyrighted material without consent. Copyright act 1976 determines the purpose and style of excerpt; nature of copyrighted work; amount of content duplicated compared to overall length of work; and whether duplication might reduce value or desirability of original work Licenses – Contract between provider of software and consumer. EULA provides explicit limits on the use and distribution of the software Trade Secrets – Business proprietary information that is important to an organization to compete. The organization must exercise due care and due diligence in protection of trade secrets. Common protection methods include Non-compete and NDA (nondisclosure) agreements. Lack of reasonable protection of trade secrets can make them cease to be trade secrets. IP Attacks – Software piracy, trade secrets targeted by espionage. Trademarks can fall under several attacks such as counterfeiting, dilution (ex. Kleenex referred to any facial tissue) and cybersquatting and typo squatting (registering in bad faith domain name associated with another person’s trademark. Privacy Privacy is the protection of confidentiality of personal information. These include PII (Personally identifiable Information) such as social security numbers, financial information such as annual salary and bank account information required for payroll deposits and healthcare information for insurance purposes. One issue to understand is whether a citizen’s privacy protections are primarily opt-in or opt-out. Opt-in requires individuals to have to do something in order to had their data used, whereas opt-out agreements require an individual to have to do something to prevent their data from being resold. EU Privacy EU data protection directive Requires notifying individuals how their personal data is collected used Allowing individuals to opt out of sharing their personal data with third parties Requiring individuals to opt into share the most sensitive personal data Providing reasonable protections for personal data OECD Privacy Guidelines Organization for Economic Cooperation and Development (OECD) – constitutes 30 nations EU, US, Mexico, Australia, Japan and Czech Republic. The OECD framework contains eight driving principles. Collection Limitation principle – Personal data collection should have limits. Data Quality Principle – Personal data should be complete, accurate and maintained Purpose specification principle – Purpose should be known and use should be limited to purposes outlined a the time of collection Use limitation Principle – Data should never be disclosed without consent Security Safeguards Principle – Data should be reasonable protected against unauthorized use, disclosure or alteration Openness Principle – General policy concerning collection and use of personal data should be readily available Individual Participation Principle – individuals should be: able to find out if entity holds their data, made aware of personal data held, given reason for any denial to data held and process for challenging any denials, able to challenge the content of any personal data being used and have process for updating their personal data if found inaccurate or incomplete Accountability Principle – The entity using the personal data should be accountable to principles above EU-US Safe Harbor Personal data of EU citizens may not be transmitted to countries outside of EU even with user consent. US based organizations must voluntarily consent to EU data protection directive in order to obtain this data. US Privacy Act of 1974 Defines how US citizens PII is used by the federal government. The act provides users individuals with access to the data being maintained related to them with some national security exceptions. International Cooperation There will always be jurisdiction challenge as countries differ in laws making prosecution difficult. The most significant progress in international progress in computer crime is the council of europe convention. It has been signed by the 47 EU countries as well as US focusing on standards in cybercrime policy. Import/Export Restrictions There are import and export restrictions in cryptographic technologies. In the 90s US was the one of the primary instigators of banning the export of cryptographic technologies especially to those who are considered a political threat. Trans-border data flow See OECD Privacy Guidelines. Important Laws and regulations HIPAA – Health Insurance Portability and Accountability Act – The privacy and security portions seek to guard protected health information (PHI) from unauthorized use or disclosure for entities such as Health plans, Healthcare providers, and clearing houses. The HITECH (Health Information Technology for Economic and Clinical Health) act extended privacy and security requirements of HIPAA to those that serve as business associates to those entities Computer Fraud and Abuse Act Title 18 Section 1030 – Attacks on US protected computers, government, financial processing in foreign or interstate commerce that results in $5000 in damages in one year is criminalized ECPA – Electronic Communications Privacy Act – Protected electronic communications from warrantless wiretapping USA PATRIOT act of 2001 – Full name Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act – Passed due to September 11 terrorist attack. Weakened the ECPA by expanding law enforcement electronic monitoring capabilities Gramm-Leach-Bliley Act (GLBA) – Requires financial insitutions to protect the confidentiality and integrity of consumer financial information and to notify consumers of privacy practices. California Senate Bill 1386 SB1386 – US State level breach notification law requiring organization to notify California residents if there is there is potential disclosure of personal data Sarbanes-Oxley Act of 2002 (SOX) – As a result of major accounting scandals SOX was passed. The act mandates public companies to ensure adequate financial disclosure, auditor independence and internal security controls such as risk assessment. Intentional violation can lead to criminal penalties. PCI – Payment Card Industry Data Security Standard (PCI-DSS) – Requires merchants that process credit card data to adhere to PCI-DSS standards to ensure better protection of cardholder data by mandating security policy, security devices, control techniques and monitoring of systems and networks comprising of card holder data environments. Security Frameworks Security Program Development ISO/IEC 27000 series – International standards on how to develop and maintain an ISMS developed by ISO and IEC ISO/IEC 27000 Overview and vocabulary ISO/IEC 27001 ISMS requirements ISO/IEC 27002 Code of practice for information security controls ISO/IEC 27003 ISMS implementation ISO/IEC 27004 ISMS measurement ISO/IEC 27005 Risk management ISO/IEC 27006 Certification body requirements ISO/IEC 27011 Telecommunications organizations ISO/IEC 27015 Financial sector ISO/IEC 27031 Business continuity ISO/IEC 27033 Network security ISO/IEC 27034 Application security ISO/IEC 27035 Incident management ISO/IEC 15408 - The Common Criteria for Information Technology Security Evaluation (referred to as Common Criteria or CC) is an international standard (ISO/IEC 15408) for computer security certification. It is currently in version 3.1 revision 5. ISO/IEC 17024 - Contains principles and requirements for a body certifying persons against specific requirements, and includes the development and maintenance of a certification scheme for persons. Enterprise Architecture Development Zachman Framework Model for the development of enterprise architectures developed by John Zachman TOGAF Model and methodology for the development of enterprise architectures developed by The Open Group DoDAF U.S. Department of Defense architecture framework that ensures interoperability of systems to meet military mission goals MODAF Architecture framework used mainly in military support missions developed by the British Ministry of Defense SABSA model and methodology for the development of information security enterprise architectures Security Controls Development COBIT 5 A business framework to allow for IT enterprise management and governance that was developed by Information Systems Audit and Control Association (ISACA) NIST SP 800-53 Set of controls to protect U.S. federal systems developed by the National Institute of Standards and Technology COSO Internal Control - Integrated Framework Set of internal corporate controls to help reduce the risk of financial fraud developed by the Committee of Sponsoring Organizations (COSO) of the Treadway Commission Process Management Development ITIL Processes to allow for IT service management developed by the United Kingdom’s Office of Government Commerce Six Sigma Business management strategy that can be used to carry out process improvement Capability Maturity Model Integration (CMMI) Organizational development for process improvement developed by Carnegie Mellon University Security and 3rd Parties Service Provider Contractual Security Service Level Agreements (SLA) – Identifies key expectations that the vendor is contractually required to meet such as performance, security, an availability expectation Attestation – Larger providers look to attestation to assure customers that they have gone through 3rd party scrutiny and review. SAS70, ISO27001 and PCI-DSS uses PCI Qualified Security Assessor (QSA) for attestation. For PCI a report of compliance (ROC) and Attestation of Compliance (AOC) may be issued to the organization. Right to penetration test/right to audit – Written approval for an organization to perform their own penetration testing and have a trusted provider to perform the assessment on their behalf Procurement – The security department should be leveraged prior to the procuring a solution or service to make informed and risk based decisions. Vendor Governance or vendor management – Goal is to ensure that strategic partnerships between organizations continually provide the expected value Acquisitions – Due diligence requires thorough risk assessment of any acquired company’s information security program. It requires vulnerability assessment and penetration testing of the acquired company before any merger of networks. Divestiture (De-mergers and De-acquisitions) – Management of Risks in sensitive data that arises when separating common formerly unified companies. Ie passwords and accounts, credentials, etc. Ethics • Protect society, the common good, necessary public trust and confidence, and the infrastructure. • Act honorably, honestly, justly, responsibly, and legally. • Provide diligent and competent service to principals. • Advance and protect the profession. Preamble The safety and welfare of society and the common good, duty to our principles, and to each other, requires that we adhere, and be seen to adhere, to the highest ethical standards of behavior Therefore, strict adherence to this Code is a condition of certification. Canon Protect society, the common good, necessary public trust and confidence, and the infrastructure. Security professionals are charged with the promoting of safe security practices and bettering the security of systems and infrastructure for the public good. Act honorably, honestly, justly, responsibly, and legally. Due to varying laws in different jurisdictions, priority be given to the jurisdiction in which services are being provided. Provide prudent advice, and refrain from promoting unnecessary fear, uncertainty and doubt. Provide diligent and competent service to principles. Provide competent service which maintains the value and confidentiality of information and associated systems Ensure there is no conflict of interest in providing quality services Advance and protect the profession. Maintain your skills and advance the skills and knowledge of others. Do not associate with those in a professional fashion who might harm the profession. Computer Ethics Institute Ten commandments of Computer Ethics 1. 2. 3. 4. 5. Thou shalt not use a computer to harm other people Thou shalt not interfere with other people’s computer work Thou shalt not snoop around in the other people’s computer files. Thou shalt not use a computer to steal Thou shalt not use a computer to bear false witness. 6. Thou shalt not copy or use proprietary software for which you have not paid. 7. Thou shalt not use other people’s computer resources without authorization or proper compensation 8. Thou shalt not appropriate other people’s intellectual output 9. Thou shalt think about the social consequences of the program you are writing or the system you are designing 10. Thou shalt always use a computer in ways that ensure consideration and respect for your fellow humans IAB’s Ethics and the internet RFC1087 Internet activities Board code of ethics. Below are unethical practices Seek to gain unauthorized access to the resources of the internet; Disrupts the intended user of the Internet; Wastes resources (people, capacity, computer) through such actions; Destroys the integrity of computer-based information; Compromises the privacy of users Information Security Governance Security Policy and related documents Policy Policy – High level management directives that are mandatory and does not dwelve into specifics Components of a program policy: Purpose – Describes the need of the policy; typically to provide CIA of protected data Scope – Describes what systems, people, facilities, and organizations are covered by the policy Responsibilities – Responsibilities of the information security staff, policy and management teams, as well as responsibilities of all members of the organization Compliance – Describes how to judge effectiveness of policy and what happens when policy is violated. Policy types – NIST: program policy (organization security program), issue-specific policy (email policy, email privacy policy), and system specific policy (file server policy, webserver policy) Procedures Low level step-by-step guide for accomplishing a task that are mandatory. Example: Steps to follow when creating a new user. Standards Describes the specific use of technology often applied to hardware and software which are mandatory. Example: standard issue of laptop hardware and software Guidelines Guidelines are recommendations which is discretionary. Examples advice to take first letter of every word in a sentence to form a strong password. You can create a strong password without following this guideline. Baselines Baselines are uniform ways of implementing a standard which is discretionary. Example: Performing a security baseline using the CIS standard benchmark. You can harden the system without following the benchmark as long as it is at least as secure as one following the benchmark. Personnel Security Security Awareness and Training Awareness – Changes user behavior; i.e. remind users to never share accounts or passwords Training – Provides a skillset; i.e. teaches the user how to perform a task such as training network engineers how to configure routers Back ground check s Organizations should conduce thorough background checks before hiring. This includes criminal records, financial investigation, verifying education and certifications. Employee Termination A fair formal termination process includes a progressive discipline (ladder of discipline) process: Coaching Formal Discussion Verbal Warning meeting, with HR attendance Written warning meeting, with HR attendance Termination This is fair, and lowers chance of negative reaction. People tend to act more reasonably if they feel they have been treated fairly. Vendor, Consultant and Contractor Security They may have access to sensitive data. They must be trained and made aware of the risks. Security policies, procedures and guidance should be applied. Policies in regards to ownership of data and intellectual property should be developed. Clear rules dictating where and when 3rd party may access or store data must be developed. Outsourcing and offshoring Outsourcing – Use of a third party to provide IT services at lower cost Offshoring – Outsourcing to another country Concerns about offshoring are risks associated with privacy and regulatory issues. ie Australia has no HIPAA, SOX or GLBA. Access Control Defensive Categories and types 6 access control types 1. 2. 3. 4. 5. 6. Preventative Detective Corrective Recovery Deterrent Compensating 3 Categories 1. Administrative (directive) – Created by following company policy, procedure or regulation. User training 2. Technical Control – Software, Hardware, firmware that restricts logical access. Ex Firewalls, routers, encryption 3. Physical Control – Implemented with physical devices like locks, fences, gates, security guards Preventative Preventive controls prevent actions from occurring. Example assigning limited privileges prevents users from performing unauthorized actions. Administrative preventive control drug screening to prevent hiring employees with illegal drugs Detective Detective controls are controls that alert during or after a successful attack. Example, IDS, CCTV, Building Alarm. Corrective Corrective controls work by “correcting” a damaged system or process. AV works as both detective and corrective by scanning the virus and placing them in quarantine. Recovery Recovery controls take place after a security incident has occurred. Example is reinstallation of OS, or restore from backup. Deterrent Deterring controls deter users from performing actions on a system. Example “beware of dog” sign, large fine for speeding, sanction policies for surfing illicit websites. Compensating A compensating control is an additional security control put in place to compensate for a weakness in other controls. Example: Surfing illicit website causing an employee to lose his job is an administrative deterrent control. By reviewing logs each day, is a adding a detective compensating control to augment the administrative control. Risk Analysis Assets Assets are valuable resources you are trying to protect. Examples, Data, systems, people, buildings, property etc. Threats and vulnerabilities Threat – Potentially harmful occurrence – Example Earthquake, Power outage, Network based worm Vulnerability – A weakness that allows a threat to cause harm. Examples, buildings not built to withstand earthquake, DC without backup power, Microsoft XP system that has not been patched in a few years. RISK = THREAT x VULNERABILITY Risk = Threat x Vulnerability Impact Impact is the severity of damage, sometimes expressed in dollars. Aka Consequences or cost. Risk = Threat x Vulnerability x Impact Impact of losing human life is near infinite in CISSP exam Risk analysis Matrix Australia/New Zealand ISO31000:2009 Risk Management Principles and Guidelines The Risk Analysis Matrix allows you to perform Qualitative Risk Analysis (likelyhood vs consequences). L – Low risk handled via normal processes M – Medium risk require management notification H – High risk require senior management notification E – Extreme risk require immediate action including detailed mitigation plan Annualized Loss Expectancy (ALE) Determines annual cost of a loss due to a risk. Asset Value (AV) – The value of the asset you are trying to protect. Tangible assets – such as computers or buildings Intangible assets Market Approach – Fair value of asset compared to assets purchased under similar circumstances Income Approach – Present value of future earning capacity that an asset will generate over its remaining life Cost Approach – Fair value of asset by reference to cost that would be incurred in order to recreate or replace asset Exposure factor (EF) – Percentage of value exposed to risk Single Loss Expectancy (SLE) – AV x EF – Asset value x exposure factor Annual Rate of Occurrence (ARO) – Number of losses you suffer per year Annual Loss Expectancy (ALE) – Yearly cost due to risk. SLE x ARO Total Cost of Ownership (TCO)- Total cost of mitigating a safeguard (Annual) Return on Investment (ROI) – Amount of money saved by implementing the safeguard. If TCO > ALE = Positive ROI. If TCO < ALE = negative ROI Budget and Metrics Metrics can greatly assist the information security budgeting process. They help illustrate potentially costly risks and demonstrate effectiveness (and potential cost of savings) of existing controls. CIS Security Benchmark list of metrics Risk Choices Accept the Risk – it may be cheaper to leave an asset unprotected. Risk acceptance Criteria– Low likelihood/low consequence risks are candidates for risk acceptance. High or extreme risks cannot be accepted. Data protected by law or regulations or risk to human life or safety are examples of risks that cannot be accepted. Mitigate the Risk – Lowering risk acceptance level or risk reduction by performing reduction analysis. In some cases, the risk can be removed entirely Transfer the Risk – i.e. Insurance model. Pay the insurance company to assume the risk for them Risk Avoidance – A thorough risk analysis should be completed before taking on a new project. If the risk analysis discovers high or extreme risk that cannot be mitigated avoiding the risk (and the project) maybe the best option. If ALE is higher than ROI, avoidance might be best option Quantitative and Qualitative risk analysis Quantitative – Uses hard metrics such as dollars and more objective. Examples ALE Qualitative – Uses simple approximate values and more subjective. Examples Risk Analysis Matrix Hybrid Risk analysis – uses quantitative for hard numbers and qualitative for remainder The Risk Management Process US NIST – Risk management guide – 9 Step risk analysis 1. 2. 3. 4. 5. 6. 7. 8. 9. System Characterization – Scope Threat Identification – Find threat (Risk = Threat x Vulnerability) Vulnerability Identification – Find vulnerability (Risk = Threat x Vulnerability) Control Analysis – Analyzes security controls (safeguards) planned to mitigate risk Likelihood Determination Impact Analysis Risk Determination Control Recommendations Results Documentation Types of attacker Hackers Malicious individual who attacks computer systems. Malicious hacker, blackhat and cracker. Blackhats and Whitehats Blackhat bad guy attacks systems with malicious intent, whitehat good guy ethical hackers. Gray hat goal to improve network and system security by exploiting it by making it known to public. The difference between gray hats and whitehats are whitehats alerts owners and vendors without exposing it to public. Script Kiddies Attacks computer systems with tools they have little or no understanding of. Security novices can use metasploit to compromise systems due to the quality of the tool. Outsiders Unauthorized attackers with no authorized privilege access to a system or organization. Outsiders launch majority of the attacks. Insiders An insider attack is launched by an internal user who may be authorized to use the system that is attacked. They maybe intentional or accidental. NIST special publication lists the following threat actions. Assault on an employee Blackmail Browsing of proprietary information Computer abuse Fraud and theft Information Bribery Input of falsified, corrupted data Interception Malicious code (virus, logic bomb, trojan horse Sale of personal information System bugs System intrusion System sabotage Unauthorized system access Hacktivists Hacker activist, someone who attacks computer systems for political reasons. Bots and Botnets A bot (aka zombie) is a computer system running malware that is controlled via a botnet. A botnet contains a central command and control (C&C) network managed by humans called bot herders. Systems become bots after becoming compromised via server side attacks, client side attacks, and running remote access trojans. Phishers and spear phishers Malicious attackers who attempts to trick users into divulging credentials or PII. Phishing attacks tend to be large scale and uses emails that contains links to malicious sites that contains backdoors used to compromise your system. Spear phishing targets far fewer user but of high value, often executives and are very targeted (whaling). Vishing is voice phishing – telling using automated scripts using VOIP to automate calls to thousands.
