Updated_Chapter_2_Cyber Risks, Threats and Vulnerabilities.pdf
Document Details
Tags
Full Transcript
CYBERSECURITY FOUNDATIONS CYB281 Chapter 2 Cyber Risks, Threats and Vulnerabilities 9/4/24 1 Contents § The Parkerian Hexad § Types of Attacks § Cyber threats, vulner...
CYBERSECURITY FOUNDATIONS CYB281 Chapter 2 Cyber Risks, Threats and Vulnerabilities 9/4/24 1 Contents § The Parkerian Hexad § Types of Attacks § Cyber threats, vulnerabilities and risks § Cyber impacts § Risk Management The Parkerian Hexad Ø The Parkerian hexad, is model named after Donn Parker. Ø Is provides a somewhat more complex variation of the classic CIA triad. Where the CIA triad consists only of confidentiality, integrity and availability, the Parkerian hexad consists of these three principles as well as possession or control, authenticity and utility, for a total of six principles. The Parkerian Hexad (Cont.) q The Parkerian hexad includes the three principles of the CIA triad, with the same definitions just discussed. q Parker describes integrity slightly differently; he doesn’t account for authorized, but incorrect, modification of data. For him, the data must be whole and completely unchanged from its previous state. q The Parkerian Hexad added the following three additional elements: 1. Possession or Control 2. Authenticity 3. Utility The Parkerian Hexad (Cont.) 1. Possession or Control: Possession or Control refers to the physical disposition of the media on which the data is stored. For Example: § Suppose a thief were to steal a sealed envelope containing a bank debit card and its personal identification number. § Even if the thief did not open that envelope, it's reasonable for the victim to be concerned that the thief could do so at any time. That situation illustrates a loss of control or possession of information but does not involve the breach of confidentiality The Parkerian Hexad (Cont.) 2. Authenticity : Authenticity is the part where attackers focus on today. It refers to the accuracy and truth of the origin of the information. For Example: § A digital signature could be used to verify the user of a digital document or indeed the integrity of the document. You probably have had to pass a code after logging in, which you have received via SMS or email. This ensures that attackers cannot just take over your account with your password. The Parkerian Hexad (Cont.) 3. Utility : Utiity refers to how useful the data is to you. Utility is also the only principle of the Parkerian hexad that is not necessarily binary in nature; you can have a variety of degrees of utility, depending on the data and its format. For Example: Someone encrypted data on a disk in order to prevent unauthorized access or undetected modifications, but then they lost the decryption key. This example highlights a breach of utility. Whilst the data would be confidential, controlled, integral, authentic and available – it just wouldn’t be useful in that form. Types of Attacks Ø You can generally place attacks into one of four categories: 1. interception 2. Interruption 3. modification 4. Fabrication Ø Each of the categories can affect one or more of the principles of the CIA triad Types of Attacks (cont.) 1. Interception: § Interception attacks allow unauthorized users to access your data, applications, or environments, and they are primarily attacks against confidentiality. § Interception might take the form of unauthorized file viewing or copying, eavesdropping on phone conversations, or reading someone else’s email, and you can conduct it against data at rest or in motion. 2. Interruption: § Interruption attacks make your assets unusable or unavailable to you on a temporary or permanent basis. These attacks often affect availability but can affect integrity, as well. You would classify a DoS attack on a mail server as an availability attack. Types of Attacks (cont.) 3. Modification: Modification attacks involve tampering with an asset. Such attacks might primarily be considered attacks on integrity but could also represent attacks on availability. For Example: ◦ If you access a file in an unauthorized manner and alter the data it contains, you’ve affected the integrity of the file’s data. ◦ However, if the file in question is a configuration file that manages how a service behaves—perhaps one that is acting as a web server—changing the contents of the file might affect the availability of that service. ◦ If the configuration you altered in the file for your web server changes how the server deals with encrypted connections, you could even call this a confidentiality attack Types of Attacks (cont.) 4. Fabrication: Fabrication attacks involve generating data, processes, communications, or other similar material with a System. Fabrication attacks primarily affect integrity but could affect availability, as well. Generating fake information in a database would be a kind of fabrication attack. Cyber Threat, Vulnerability and Risk When you look at how an attack might affect you, you can speak of it in terms of threats, vulnerabilities, and the associated risk. Risk: The likelihood that something bad will happen to an asset (e.g., loosing data, loosing business after a disaster, failing to comply with laws or regulations). Threat: Any action that could damage an asset (e.g., theft, fire, hacking) Vulnerability: A weakness that allows a threat to be realized or have an effect on an asset e.g., not painting the walls of computer center with material to withstand fire) Cyber Threats Ø Threats have the potential to steal or damage data, disrupt business, or create harm in general. To keep that from happening, you need to know what cyber threats exist. Ø There are a number of terms associated with cyber threats that are worth exploring before we look into the types of threat in greater detail: 1. Threat source or sponsor 2. Threat actors or agents 3. Threat actions 4. Threat analysis 5. Threat vectors or attack vectors 6. Threat consequences or impacts Cyber Threats (Cont.) 1. Threat source or sponsor: Is the person or organisation that wishes to benefit from attacking an information asset. Threat sources often pay or otherwise pressurise threat actors to attack information assets on their behalf. 2. Threat actors or agents: Individuals or groups of individuals who actually execute a cyber-attack. 3. Threat actions: Describe the actual attacks. These are often not a single isolated event, but can consist of many discrete activities, involving surveillance, initial activities testing and the final attacks. Cyber Threats (Cont.) 4. Threat analysis Describes the process of understanding the level of threat 5. Threat vectors or attack vectors The tools, techniques and mechanisms by which an attacker conducts the attack on their target. Ø Before we can begin to plan to put preventative measures in place or to develop the means to respond to cyber- attacks, we need to understand the kinds of people and organisations that will attempt them, together with their possible motivations for doing so. Once we have a clear understanding of this aspect of cyber security, we will be much better placed to deal with them. Cyber Threats (Cont.) Ø Any attacker or criminal requires three distinct things in order to achieve their goal: 1. Motive 2. Means 3. Method 1. Motive : there must be a reason for them undertaking a cyber-attack even if it appears to be a rather futile one. Most cybercrime is motivated by money, but there are elements who attack systems for revenge; to establish their perceived superiority; to make a political statement; or simply to be a nuisance Cyber Threats (Cont.) 2. Means: The attacker must possess a minimum level of skill in order to mount a successful attack. ◦ Often attackers with little or no skill will fail in their endeavours and will probably be identified and face justice. 3. Method: A more experienced attacker will develop a plan for their attack. This may require an interim break-in followed by extended periods of reconnaissance before the real attack takes place. Ø Some of these attackers will be individuals, operating entirely on their own; some will be groups of individuals, often organised into a loose community (such as the Anonymous group); while others will be highly organised criminal gangs. At the other end of the spectrum are the nation states, and while some will be using the attack for purely espionage purposes, others will have a far more sinister agenda Seven Domains of a Typical IT Infrastructure User domain: Made up of typical IT users and the hardware, software, and data they use Workstation domain: The “desktop domain” where most users enter the IT infrastructure LAN domain: Small network organized by function or department, allowing access to all resources on the LANs LAN-to-WAN domain: The point at which the IT infrastructure joins a WAN and the Internet WAN domain: The point at which the WAN connects to other WANs via the Internet Remote Access domain: Connects remote employees and partners to the IT infrastructure Systems/Applications domain: Holds all of the mission-critical systems, applications, and data Common Threats in the User Domain Lack of user awareness: Conduct security awareness training, display security awareness posters, insert reminders in banner greetings, and send e-mail reminders to employees. User apathy toward policies: Conduct annual security awareness training, implement AUP, update staff manual and handbook, and discuss status during performance reviews. User violating security policy: Place employee on probation, review AUP and employee manual, and discuss status during performance reviews. User inserting CD/DVD/USB with personal files: Enable automatic antivirus scans for inserted media drives, files, and e-mail attachments. An antivirus scanning system examines all new files on your computer’s hard drive for viruses. Enable e-mail antivirus scanning for e-mails with attachments. Common Threats in the User Domain (Continued) User downloading photos, music, or videos: Enable content filtering and antivirus scanning on e-mail attachments. Content filtering security appliances configured to permit or deny specific domain names in accordance with AUP definition. User destructing systems, applications, and data: Restrict access for users to only those systems, applications, and data needed to perform their job. Minimize write or delete permissions to the data owner only. Disgruntled employee attacking organization or committing sabotage: Track and monitor abnormal employee behavior, erratic job performance, and use of IT infrastructure during off-hours. Begin IT access control lockout procedures based on AUP monitoring and compliance. Employee blackmail or extortion: Track and monitor abnormal employee behavior and use of IT infrastructure during off-hours. Enable intrusion detection system/intrusion prevention system (IDS/IPS) monitoring for sensitive employee positions and access. IDS/IPS security appliances examine the Internet Protocol (IP) data streams for inbound and outbound traffic. Alarms and alerts programmed within an IDS/IPS help identify abnormal traffic and can block IP traffic per policy definition. Common Threats in the Workstation Domain Unauthorized workstation access: Enable password protection on workstations for access. Unauthorized access to systems, applications, and data: Define strict access control policies, standards, procedures, and guidelines. Implement a second-level test to verify a user’s right to gain access. Desktop or laptop operating system vulnerabilities: Define workstation operating system vulnerability window policy. A vulnerability window is the gap in time that you leave a computer unpatched with a security update. Start periodic workstation domain vulnerability tests to find gaps. Desktop or laptop application software vulnerabilities or patches: Define a workstation application software vulnerability window policy. Update application software and security patches according to defined policies, standards, procedures, and guidelines. Viruses, malicious code, and other malware: Use workstation antivirus and malicious code policies, standards, procedures, and guidelines. Enable an automated antivirus protection solution that scans and updates individual workstations with proper protection. Common Threats in the LAN Domain Unauthorized physical access to LAN: Make sure wiring closets, data centers, and computer rooms are secure. No access is there without proper credentials. Unauthorized access to systems, applications, and data: Strict access control policies, standards, procedures, and guidelines should be implemented. Second-level identity required to access sensitive systems, applications, and data. LAN server operating system vulnerabilities: Define vulnerability window policies, standards, procedures, and guidelines. Conduct LAN domain vulnerability assessments. LAN server application software vulnerabilities and software patch updates: Define a strict software vulnerability window policy requiring quick software patching. Rogue users on WLANs: Eliminate rogue users from unauthorized access. Use WLAN network keys that require a password for wireless access. Turn off broadcasting on wireless access points (WAPs). Enable second-level authentication prior to granting WLAN access. Confidentiality of data on WLANs: Maintain confidentiality of data transmissions. Implement encryption between workstation and WAP to maintain confidentiality. LAN server configuration guidelines and standards: LAN servers have different hardware, operating systems, and software, making it difficult to manage and troubleshoot consistently. Common Threats in the LAN-to-WAN Domain Unauthorized probing and port scanning: Disable ping, probing, and port scanning on all exterior IP devices within the LAN-to-WAN domain. Ping uses the Internet Control Message Protocol (ICMP) echo-request and echo-reply protocol. Disallow IP port numbers used for probing and scanning and monitor with intrusion detection system/intrusion prevention system (IDS/IPS). Unauthorized access: Apply strict security monitoring controls for intrusion detection and prevention. Monitor traffic and block it right away if malicious. IP router, firewall, and network appliance operating system vulnerability: Define a strict zero-day vulnerability window definition. Update devices with security fixes and software patches right away. Common Threats in the WAN Domain Most of the traffic being sent as clear text: Stop the use of the Internet for private communications unless encryption and virtual private network (VPN) tunnels are used. Enforce the organization’s data classification standard. Vulnerable to eavesdropping: Use encryption and VPN tunneling for secure IP communications. Vulnerable to malicious attacks: Deploy layered LAN-to-WAN security countermeasures. Vulnerable to DoS and DDoS attacks: Apply filters on exterior IP stateful firewalls and IP router WAN interfaces. Vulnerable to corruption of information and data: Encrypt IP data transmission with VPNs. Back up and store data in offline data vaults. Test regularly. Insecure TCP/IP) applications: Never use TCP/IP applications for private transmission without proper encryption. Create a network management Virtual LAN (VLAN). Hackers and attackers e-mailing Trojans, worms, and malicious software freely and constantly: Scan all e- mail attachments for type, antivirus, and malicious software at the LAN-to-WAN domain. Common Threats in the Remote Access Domain Brute force user ID and password attacks: Define user ID and password policy definitions. Use of passwords must be strictly more than eight characters and alphanumeric. Unauthorized remote access to IT systems, applications, and data: Apply first-level and second-level security for remote access to sensitive systems and data. Confidential data compromised remotely: Encrypt all confidential data in the database or hard drive. If the data is stolen, it’s encrypted and can’t be used. Common Threats in the Systems/Applications Domain Unauthorized access to data centers, computer rooms, and wiring closets: Apply policies, standards, procedures, and guidelines for staff and visitors to secure facilities. Difficult-to-manage servers that require high availability: Create a system that brings together servers, storage, and networking. Server operating systems software vulnerability management: Define vulnerability window for server operating system environments. Maintain hardened production server operating systems. Security required by cloud computing virtual environments: Implement virtual firewalls and server segmentation on separate VLANs. A virtual firewall is a software-based firewall used in virtual environments. Corrupt or lost data: Implement daily data backups and off-site data storage for monthly data archiving. Define data recovery procedures based on defined Recovery Time Objectives (RTOs). Cyber Vulnerabilities ØThe reasons why cyber-attacks succeed ? Is cyber vulnerabilities. v Cyber Vulnerabilities: Is any weakness that can be exploited to mount an attack on a network, system or service is termed a vulnerability. ØCyber vulnerability include: 1. Policy, process and procedure vulnerabilities 2. Technical vulnerabilities 3. Technical attack vectors: end point devices 4. People-related vulnerabilities 5. Physical and environmental vulnerabilities Cyber Vulnerabilities(Cont.) Ø Policy, process and procedure vulnerabilities: § Many organisations have robust policies and procedures in place – either to ensure that the right things happen and in the correct sequence, or to ensure that the wrong things don’t happen or happen in the wrong sequence. There are some keys policies and procedures that organisations might overlook or fail to undertake: 1) Failure to have an overall information security policy 2) The lack of, or poorly written, access control policies 3) Failure to change user access rights when changing role or leaving the organisation 4) The lack of network segregation 5) The use of untested software 6) Failure to restrict the use of system utilities 7) Poor protection against malware and failure to keep protection up to date Cyber Vulnerabilities(Con.t) ØTechnical vulnerabilities: Technical vulnerabilities are sometimes less obvious to spot but are frequently highly dangerous. These could also be considered to be failures of policy, process or procedure, but are sufficiently significant to warrant their own section. Technical vulnerabilities include: 1) Poor coding practice 2) Poor specification of requirements 3) Poor quality assurance and testing 4) Single points of failure Cyber Vulnerabilities(Cont.) Technical attack vectors: end point devices: an attack vector is a path that a hacker takes to exploit cybersecurity vulnerabilities. Technical attack vectors include: 1) Internet Protocol cameras 2) Fitness treadmills and body-worn fitness trackers 3) Thermostats and smoke detectors Cyber Vulnerabilities(Cont.) Ø People-related vulnerabilities: There are numerous people-related vulnerabilities, some of which arise from the lack of training and awareness provided by an organization, while others arise from people’s inability to think and act logically or to follow instructions ,it include: 1) Social engineering 2) Lack of awareness 3) Failure to comply with company policies and good practice 4) Simple passwords 5) Poor response to training and awareness Cyber Vulnerabilities(Cont.) ØPhysical and environmental vulnerabilities: There are some areas in which physical and environmental vulnerabilities will have an effect, and the impact of these can be dramatic. It includes: 1) Building and equipment room access 2) Physical access to individual items of equipment 3) Heating, ventilation and air conditioning 4) Power Cyber Impacts Ø Cyber impacts or consequences are the result of some unwanted event – when a vulnerability has been exploited by a threat. Impacts come in many shapes and forms, but all require some sort of decision to be made. Ø Many impacts will be felt on a personal or individual level, while others will have a much wider impact on organizations. We’ll take a look at impacts : 1) Personal impacts 2) Organizational impacts 3) Financial impacts 4) People impacts Cyber Risks Ø Today, there are a growing number of cyber risks for organizations in all industries around the World. Ø Cyber risks can be quantified in terms of data loss or failure of (ITs) information technology systems Ø Unfortunately, many organizations just don't have enough qualified staff, time, resources or experience to identify all of the potential cyber risks. Ø Cyber incidents have made it to the top of the list, with a surge in Ransomware attacks leading the pack as a top cyber threat that increases cyber risk for all organizations. Cyber Risks(Cont.) Ø The National Institute of Standards and Technology (NIST) defines cyber risk: cyber risks as the risk of "financial loss, operational disruption, or damage, from the failure of the digital technologies employed for informational via electronic means from the unauthorized access, use, disclosure, disruption, modification or destruction the system." Ø Cyber risk commonly refers to any risk of financial loss, disruption or damage to the reputation of an organization resulting from the failure of its information technology systems. ØCyber risk is the intersection of assets, threats, and vulnerabilities. It’s the potential for loss, damage, or destruction of an asset when a threat takes advantage of a vulnerability. Put another way: Threats + Impact = Risk Impact of threat x attack probability= Cyber Risk Cyber Risks (Cont.) Ø When someone may think of cyber risks specifically in terms of technology and data loss, cyber risk may result in brand or reputational damage, loss of productivity, and loss of revenue. Ø Cyber risks generally focus on risks of doing business in an interconnected, online world, you may have other threats, for example, insider threats or corporate spying. q Cyber risks may result from operational IT issues such as: 1. Poor system integrity 2. Lack of implementation of best practices for IT 3. Risk management 4. Cybersecurity. Types of Cyber Risks Ø Cyber risks may be: 1. Internal 2. External Ø Internal cyber risks include: o device loss o theft o lack of employee education and training o unauthorized use of devices o unauthorized data access o corporate spying o data stealing or deletion of or damaging data and systems. Types of Cyber Risks(Cont.) Ø External cyber risks related to external threats from outsiders Why ? ◦ Attempting to access to your systems and network. ◦ Attempting to steal sensitive data. Ø External cyber risks include: o Ransomware attacks, o phishing schemes, o vulnerability exploitation, and hacking. Are cyber risks and cyber threats the same? Ø Cyber risk and cyber threats are often used interchangeably, but there are some differences between the them. Ø Terms cyber threat is generally used to as any incident in which an organization’s information systems could be impacted by: 1. Unauthorized access to systems and networks, including the potential for data destruction, modification, or unauthorized release. 2. An attacker can often exploit a cyber threat as part of a malicious act to damage or steal data. Ø Terms cyber risks is the potential impact of (or risk of) a cyber threat negatively affecting your organization. Ø In terms of risk, it’s about looking at the potential for losses, not just related to systems and data, but also financially and to your reputation and your ability to do business. Risk Management Ø Risk management processes compensate for risks in your environment. Ø It is the process of identifying, quantifying, and managing the risks that an organisation faces; Ø it is a process aimed to obtain efficient balance between realizing opportunities for gains and minimizing vulnerabilities and losses. Ø An essential element of good governance, risk management needs to be recurrent seeking to support organisational improvement, performance and decision making. Ø The Figure shows a typical risk management process at a high level. 1. Identify Assets 2. Identify threats 3. Assess Vulnerabilities 4. Assess risks 5. Mitigate risk Risk Management(Cont.) 1. Identify Assets: § One of the first and, arguably, most important parts of the risk management process is identifying the assets you’re protecting. § If you can’t enumerate your assets and evaluate the importance of each, protecting them can become a difficult task indeed. 2. Identify threats: § After enumerating your critical assets, you can then begin to identify the threats that might affect them. § It’s often useful to have a framework for discussing the nature 3. Assess Vulnerabilities § When assessing vulnerabilities, you need to do so in the context of potential threats. § Any given asset may have thousands or millions of threats that could impact it, but only a small fraction of these will be relevant. Risk Management(Cont.) 4. Assess risk: § Once you’ve identified the threats and vulnerabilities for a given asset, you can assess the overall risk. § Risk is the conjunction of a threat and a vulnerability. A vulnerability with no matching threat or a threat with no matching vulnerability does not constitute a risk. 5. Mitigate Risks: § To mitigate risks, you can put measures in place to account for each threat. These measures are called controls. § Controls are divided into three categories: 1. Physical controls 2. Logical controls 3. Administrative controls Physical controls: § Protect the physical environment in which your systems sit, or where your data is stored. § Physical controls include fences, gates, locks, bollards, guards, and cameras, § If you’re not able to physically protect your systems and data, any other controls that you put in place become irrelevant. Risk Management(Cont.) Logical controls: § Sometimes called technical controls § Protect the systems networks, and environments that process, transmit, and store your data. § Logical controls can include items such as passwords, encryption, access controls, firewalls, and intrusion detection systems. § Logical controls enable you to prevent unauthorized activities Administrative controls : § Are Based on rules, laws, policies, procedures, guidelines, and other items that are “paper” in nature. § Administrative controls dictate how the users of your environment should behave. § One important part of administrative controls is the ability to enforce them.