Concept of threats and threat environment
-
Upload
zino-yoyozee -
Category
Technology
-
view
1.063 -
download
0
Transcript of Concept of threats and threat environment
The Threat Environment,
Hacking and Preventing Attacks
\
2013
NAME: UYOYO EDOSIO
MSC | Information Technology Management
1 | P a g e
1
CONTENTS
1 INTRODUCTION 2
2 THREAT ENVIRONMENT 3
2.1 CONCEPT OF THREAT 3
2.2 TYPES OF THREAT 3
2.3 DISCUSSION: WHAT IS THE MOST DANGEROUS THREAT? 4
3 HACKERS 5
3.1 WHAT IS HACKING & WHO ARE HACKERS? 5
3.2 TYPES OF HACKERS 5
3.2.1 SCRIPT KIDDIES 6
3.2.2 WHITE HACKERS 6
3.2.3 BLACK HAT HACKER 6
3.2.4 GREY HATS 6
3.3 HOW HACKERS ATTACK? 7
3.4 MALWARE ATTACKS 7
3.5 WORMS: 8
3.6 VIRUS: 8
3.7 TROJANS: 8
3.8 SOCIAL ENGINEERING ATTACKS 8
4 THREAT PREVENTION MECHANISMS 8
4.1 INTRUSION PREVENTION SYSTEMS (IPS) 8
4.2 EDUCATION OF USERS AND CONSISTENT AWARENESS 9
4.3 ANTIVIRUS, ANTI-SPYWARE 9
4.4 AUDIT LOG REVIEW 9
4.5 ACCESS CONTROL (PHYSICAL AND ROLE BASED ACCESS CONTROL): 9
5 DISCUSSION AND CONCLUSION 9
6 REFERENCES 11
2 | P a g e
2
1 INTRODUCTION
With the advent of the ingenious technology called the “internet”, human beings have created a whole
new global community. In this community there is: easier communication, without geographic
limitations; real time data exchange for decision making and; easy access to unlimited
information(Harvey & Novicevic, 2006).
However, there are malicious members of this community (such as: hackers, disgruntled staff, social
engineers), who threaten other members of the community(Loch & Carr, 1991)(Hasan & Prajapati,
2009) through their nefarious activities. Their major aim is to breach confidentiality of the information
passed across networks, alter the integrity of information to suit their unethical intentions and disrupt
the availability of data to legitimate users. In 2010, 40% of all the major security breaches were
perpetrated by hackers(Symantec Corporation, 2013).
These malicious members attack
using different mediums; such
as:worm’s, virus and Trojans, DoS,
Fake websites(McGraw &
Morrisett, 2000).
Every computer, mobile phone or
electronic gadget connected to the
internet is exposed to this form of
attacks. In 2004, a honey pot
experiment carried out by Roger
Grimes revealed that there is a fifty
percent probability of an
unprotected computer to be
attacked within 32 minutes of
gaining internet access(O'Kane, et
al., 2011).
It is therefore important for
Individuals, countries and
government to protect their
information systems as the number
of attacks are not only increasing
on a daily basis, but also the
impact is becoming graver.
Aim of Report
The aim of this report is to explain the concept of threats, enlighten readers on the activities of hackers,
and how to protect information technology asset from attacks.
Figure 1: Major Causes of Security Breaches (Symantec Corporation, 2013)
3 | P a g e
3
2 THREAT ENVIRONMENT
2.1 CONCEPT OF THREAT Due to the ubiquitous nature of the internet, threats have no limitations. Individuals, organizations and
nations are constantly under attack(Richardson, 2011). In fact the internet has created a platform where
attacks can be conveniently perpetrated without physical presences of an attacker. Before one can
attempt to fight threat one must understand what threats are and the types of threats one could
possibly face.
A threat is an attempt to circumvent the security of a network(Bishop, 2005). It can also be referred to
as a probable attack on weak points of data security system.
According to (Sumner, 2009), threats are risk, they have a likelihood of occurring. Like every other risk, it
requires assessments and mitigation strategies.
Of these two definitions (Sumner, 2009), gives a more holistic definition of threat taking into
consideration the uncertainty of threats and also the need to mitigate threats to reduce their impact.
2.2 TYPES OF THREAT Threats are come in different forms ranging from national, economic and threats to individual’s personal
information assets.
Personal threat: Threats can be inform of Adwares, password sniffers this malwares are used to gain
unauthorized access into a victims profile, emails, or credit cards and perform unauthorized transaction
(Hasan & Prajapati, 2009);
National security threats: National Security threats involve the use of malwares (such as Hoaxware, Risk
ware) to cause political unrest amongst nations. (Hasan & Prajapati, 2009);
The table illustrates possible forms of threats and the possible perpetrators:
Source/Perpetrator Human threats Nonhuman Threats
Internal Threats Loyal Employees
Disgruntled Employees
Wrong Data Input
Unauthorized data modification
Power Surge
Program Bug
External Threats Competitors, Nations
Phishing Attacks, terrorist
Hackers, Social Engineers
Script kiddies
Fire
Flood, storms
Earthquake
Viruses, malware Table 1: Broad Categorization of Threats based on Source and Perpetrator:
4 | P a g e
4
2.3 DISCUSSION: WHAT IS THE MOST
DANGEROUS THREAT?
According to the
(Richardson, 2011) malicious insiders are
responsible for less than or equals to 50
percent of financial losses to an
organization. He also stated the most
common threats are Malware attacks,
however they are not the most financially
impacting
On the contrary
(Andress & Winterfeld, 2011) suggest that
malicious insider’s threats represent the
second largest financial loss. While
Advance Persuasion Threat (APT)/
National threats are the most costly
threats. As national secrets worth a huge
sum of money are been exploited,
through APT. Countries like China and
Russia literally have government funding
on some APT attacks(Andress &
Winterfeld, 2011).
Some authors
state that insider’s threats amongst
others are the very dangerous because
they are very hard to detect(Spitzner,
2003).
It appears that although insider attacks
have higher likelihood of occurrence, but
the most dangerous and impactful is the APT, which could lead to National states of emergency.
Figure 2: This is an illustration of the types of threats, the threats are numbered form 1-5; where 1 equals most dangerous threat and 5 equals least dangerous threat [based on (Andress & Winterfeld, 2011)]
1) APT is the most financial impacting threat, usually the
impact cost billions to nations
2) Insiders Threats: disgruntled and greedy employees who
want to take advantage of known company secretes
3) Environmental threat :they uncontrollable and hence are
the third most dangerous
4) Hackers: black hat hackers/ crackers are very common
however they are not the most impactful financial attack
5) Script Kiddies are the least impactful or dangerous hackers,
see section 2.0 for details
5 | P a g e
5
3 HACKERS
In this section we would study the different types of hackers, motives behind hacking, and how the
hackers attack.
3.1 WHAT IS HACKING & WHO ARE HACKERS? According to (Panko, 2004), hacking is a deliberate attempt to gain unauthorized access to data or
information. This definition tends to paint hackers as unethical groups of people that exploit information
security measures. This definition just describes a particular type of hackers with nefarious intentions
called the black hats or crackers. This is the most widely accepted definition of hackers.
However, (Taylor, 1999) defines hacking as problem solving medium using unconventional techniques.
In fact(Erickson, 2008)defined hacking as an intelligent way of solving problems using innovative
approaches such as in-depth programming skills. (Taylor, 1999)(Erickson, 2008)Claim hacking is more of
a skill set, which involves very good technical understanding. This definitions suggest that hacking in
itself is not wrong, but it is just a tool for solving problems.
Hackers have different motives for hacking, sometimes it is for “bragging rights”, in some cases for
financial gain, espionage,cyber-war or revenge(Andress & Winterfeld, 2011).
Using a combination of Skill sets and motives as a basis, hackers can be grouped into 3 broad
categories: Hackers, Script kiddies and crackers(Barber, 2001).
3.2 TYPES OF HACKERS The table below presents an overivew of the different types of hackers, Their motives for atacking,
ethics and their different skills. As mentioned earlier, hackers differ from each other based on
motives/intentions, skills, ethics.
Table 2: Comparative analysis of the different types of Hackers classified based on their motives, Ethics and Skill level
Script Kiddies White Hackers Black hackers Grey Hackers Cyber terrorist
Skills Level
Quite Unskilled. They alter pre-programmed scripts
Very skilled programmers
Very skilled programmers Good social engineers
Very skilled programmers
Good technical skills
Motives
Bragging Rights
Protection of users from threats
Protect organizations from potential attacks.
Financial Gain
Curiosity
Revenge
Bragging Rights
Fun
Reverse attack against black hats
Political Reasons
Espionage
Financial / economic threat damage
6 | P a g e
6
Script Kiddies White Hackers Black hackers Grey Hackers Cyber terrorist
Ethics
Considered unethical
Ethical Illegal and Highly unethical
Somewhat ethical
Depends on the laws of the country of the attack.
In this section we will defined only four types of hackers, they include:
3.2.1 Script Kiddies
Script kiddies as the name implies are teens within the age group of 14-16, who partake in hacking
attacks. They do not have deep technical knowledge and skills like the hackers or crackers. Script Kiddies
initiate their attack by adapting existing computer scripts or codes created by someone else, to suit their
intended attack scenario (Fitzgerald, 2004).Their major motive behind hacking is to achieve bragging
rights. Their attacks most popular attack is website defacement (Conry-Murray, 2001).
3.2.2 White Hackers
White hat hackers can also be referred to ethical hackers, unlike other hackers their motive is to defend
organizations against threats (Graves, 2007). They make use of their skills and expertise to help
organizations improve their security controls.
Most times, they are professionals intentionallyemployed by companies to assess the vulnerabilities of
their systems by carrying out attacks (Shanmugapriya, 2013). Their motive is to proactively protect
companies from possible attacks, by simulating the attacks in real time and identifying risk areas
(penetration testing). This goes a long way to help organization’s reduce the risk of threat attacks
(Caldwell, 2011). Their motives are morally sound.
3.2.3 BLACK HAT HACKER
A black hat hacker is one who breaches the security of an information system for selfish and criminal
intentions (Wang, 2009). The motives for this kind of hackers are usually for financial gains, revenge or
curiosity(Andress & Winterfeld, 2011).
Black hat hackers are very proficient in programming and in some instances have good social
engineering skills. An example of a black hat hacker can attack an ecommerce database to gain
unauthorized access to customer’s credit card details, and use these details to make unauthorized
transactions (Shanmugapriya, 2013).
3.2.4 Grey Hats
Grey hat hackers can be seen as a mix between the black hat hackers and the white hat hackers(Bansal
& Arora, 2012) (Wang, 2009). They sometimes carryout unauthorized attacks but their intentions are
criminal or for selfish purposes (Shanmugapriya, 2013). For instances a white hat hacker may discover a
loophole in an information system, but instead of reporting a breach to the authorities, he may decide
to counter attack the system of the black hat hacker that initiated the attack(Wang, 2009). This act is
may not be legally right but it is not totally ethically improper as he is not affecting an innocent victim.
7 | P a g e
7
3.3 HOW HACKERS ATTACK? There are different ways through which a hacker attacks, the diagram below states some ways
hacker’sperpetuate the attack.
Figure 3: Types of attacks that could threat an information security assets [Based on (Hasan & Prajapati, 2009)]
For the purpose of this material we will describe just four of these attacks, however refer to Appendix 1
for details of these attacks.
3.4 MALWARE ATTACKS A malware is a code that is written to damage the confidentiality, integrity and availability of an
information system (Williamson, 2004). A malware seeks to alter existing information without due
authorization (Heiser, 2004). Sometimes malware pretend to be legit software, in order instances they
attach themselves to documents and sometimes they are “.exe” applications that require installation.
According to (Heiser, 2004)Malware infect their host through the following ways:
They can be installed by an ignorant users
They can disguise as an attachment in an email
Theycan be transferred through USB sticks.
Types of
Attack
Malware
spyware
Phising
DOS
SpoofingBrute Force
Worms
Shoulder surfing
Social enginnerring
8 | P a g e
8
3.5 Worms: Worms are malwares, they specially target systems that are connected (McGraw & Morrisett, 2000).
They spread independently, by identifying loopholes within the network so as to infect vulnerable
systems within the network (Williamson, 2004). An instance of this was in 2007 a Worm called storm
worm infected 300,000 systems. The Trojan horse pretended to be an attachment containing
information about the European storm (Security Views , 2007). However it secretly created a back door
attack, granting the hacker remote access with administrative rights to a victims system (Security Views ,
2007)
3.6 VIRUS: This is a malware that attach themselves to other software (usually legitimate), they are activated when
the host program is executed by the users (McGraw & Morrisett, 2000).
3.7 TROJANS: Trojan horses are malicious software which pretend to be a trusted software application, however their
aim is to damage a computer (OWASP , 2009). For instance a Trojan horse can pretend to be a Microsoft
office installation file called “office.exe”. Usually they camouflage in this manner to be unnoticed by the
user.
3.8 SOCIAL ENGINEERING ATTACKS It is the act of tricking people to grant unapproved access to an information, or divulge privileged
information(Hasan & Prajapati, 2009). It involves playing on the psychological weakness of humans; it
does not require deep technical skills unlike other attacks (Hasan & Prajapati, 2009).
4 THREAT PREVENTION MECHANISMS
This section highlights different ways and mechanism to prevent threats and malware attacks.
4.1 INTRUSION PREVENTION SYSTEMS (IPS) According to (Endorf, et al., 2004) an IPS is a system that proactively identifies malicious activities and
restricts them from occurring. They are usually installed internally within a network. Intrusion
Prevention are:
Proactive– because they can identify threats and,
They are reactive- because they can mitigate the threat (Stiawan, et al., 2010).
However one major weakness of IPS is that threats are always evolving and there is constant need to
update its policy constantly, as it cannot preempt new attacks.
Installation of firewall is a good form of intrusion prevention.
9 | P a g e
9
4.2 EDUCATION OF USERS AND CONSISTENT AWARENESS Awareness and education of computer users is a medium of protecting against hackers and potential
threats (Hasan & Prajapati, 2009)(Atkins & Huang, 2013). For instances, users can be educated on the
risk attached with disclosing their passwords, granting unauthorized access to people. Training is one of
the most effective ways of preventing social engineering attacks. Trainings should be accompanied with
real life scenariosexplaining the behaviors and techniques that the hackers adopt when carrying out
their attacks. This is necessary so that the users can now how to act when face with similar scenario
(Ashish, 2007).
4.3 ANTIVIRUS, ANTI-SPYWARE These are software that protect computer against malware attack.They are very effective and need to
be updated regularly to identify recent malware. They perform routine scan on networks, personal
computers in order to identify infected areas of the computer and repair damages caused by the
malwares
4.4 AUDIT LOG REVIEW Organizations should carryout system log audit on all staff systems to assess the risk of the activities
carried out from the systems of the staff. Sometimes, disgruntled staffs with access may carryout
nefarious attacks against the organization. But putting in routine review of the log file of users system
can enable an organization catch the perpetrator of the attack easily.
4.5 ACCESS CONTROL (PHYSICAL AND ROLEBASED ACCESS CONTROL): Encryption of Data: This one medium toprotect data passed around networks. For instance sensitive
data should be encrypted so that if intercepted by a wiretap or a man in the middle attack theattacker
will be unable to decipher the data or make alterations. The encrypted text or data can only be
decrypted by a user with the decryption key(Conry-Murray, 2001).
5 DISCUSSION AND CONCLUSION
The report above shows that hacking activities could be ethical (white and grey hackers) or unethical
(black hackers attack, cyber terrorist). Although, some definitions of hacking describes hacking as a
deliberate attempt to gain unauthorized access to data or information. This definition just describes a
particular type of hackers with nefarious intentions called the black hats or crackers. This is the most
widely accepted definition of hackers.(Panko, 2004)
Some authors are of the state that hacking in itself is not unethical, according(Taylor, 1999) defines
hacking as problem solving medium using unconventional techniques. In fact (Erickson, 2008) defined
hacking as an intelligent way of solving problems using innovative approaches such as in-depth
programming skills. (Taylor, 1999)(Erickson, 2008)Claim hacking is more of a skill set, which involves
very good technical understanding. This definitions suggest that hacking in itself is not wrong, but it is
just a tool for solving problems.
The ethics of hacking is defined by the motives, intention and skill set of the hackers.
10 | P a g e
10
Also, in this report, we have highlighted the different types of attack that can be perpetuated by
hackers, which include malware, adware, and social engineering attack. According to the CSI 2010
report, 67 percent of attacks are malware attacks, 39 percent of attacks are perpetuated through social
engineering (phishing ) attacks, while (Richardson, 2011) ( see figure 4 for details).
The number of these attacks keep raising every year. Organizations, individuals, government agencies
are vulnerable to these attacks. Most of these attacks alter the confidentiality, integrity and availability
of data. Therefore it is important to protect against this attack. This report identifies various medium to
protect oneself from this attack through intrusion prevention, education, antivirus, audit review.
However, researchers believe that the most effective way is through education of computer users on
the activities of attack(Atkins & Huang, 2013). Individuals should be constantly made aware of attacks,
regulatory bodies, government organizations should also be involved in educating users of the nefarious
activities of hackers and threats. This will help reduce threats in the cyber community, cub the activities
of hackers and reduce financial losses due to attack.
Figure 4: Types of Threat Attacks based on (Richardson, 2011)
11 | P a g e
11
6 REFERENCES
Andress, J. & Winterfeld, S., 2011. Threatscape. In: Cyber warfare: techniques, tactics and tools for
security practitioners. :Elsevier, pp. 29-33.
Ashish, T., 2007. Social engineering: An attack vector most intricate to tackle, : Technical report,
Infosecwriters.
Bansal, A. & Arora, M., 2012. Ethical Hacking And Social Security. RADIX INTERNATIONAL JOURNAL OF
RESERCH IN SOCIAL SCIENCE, 1(11), pp. 1-16.
Barber, R., 2001. Hackers profiled—who are they and what are their motivations. Computer Fraud &
Security, Volume 2, pp. 14-17.
Bishop, M., 2005. Introduction to Computer Security. In: Massachusetts: Pearson Education, p. xxxiii.
Bradon, A. & Wilson, H., 2013. A study of Social Engineering in Online Fraud. Scientific Research, pp. 23-
31.
Caldwell, T., 2011. Ethical hackers: putting on the white hat, Network Security. Elsevier, 2011(7), pp. 10-
13.
Conry-Murray, A., 2001. Network security's not-so-secret ingredients. Network Magazine, 16(8), pp. 68-
73.
Endorf, C., Eugene, S. & Jim, M., 2004. Understanding Intrusion Detection . In: Intrusion Detection &
Prevention.:McGraw-Hill, New York, p. Chapter 1.
Erickson, J., 2008. The Hawks and the Doves. In: Hacking: The art of exploitation.:No Starch Press, pp. vii-
x.
Fitzgerald, M., 2004. Hackers, Crackers and Script Kiddies, Oh My! ; How to sort the good guys from the
bad. ExtremeTech.com, p. 1.
Graves, K., 2007. Introduction to Ethical Hacking, Ethics and Legality. In: CEH: Official Certified Ethical
Hacker Review Guide: Exam 312-50. :Wiley. com, p. 6.
Harvey, M. G. & Novicevic, M. M., 2006. The World is Flat: A Perfect Storm for Global Business?.
Organizational Dynamics, 35(3), pp. 207-219.
Hasan, M. I. & Prajapati, N. B., 2009. An Attack Vector for Deception Through Persuasion Used by
Hackers and Crakers. In: Networks and Communications, 2009. NETCOM'09. First International
Conference on. :IEEE, pp. 254-258.
Heiser, J. G., 2004. Understanding today's malware. Information Security Technical Report, 9(2), pp. 47-
64.
Loch, K. D. & Carr, H., 1991. Threats to information system security: an organizational perspective. In:
System Sciences, 1991. Proceedings of the Twenty-Fourth Annual Hawaii International Conference
on.:IEEE, pp. 551-557.
12 | P a g e
12
McGraw, G. & Morrisett, G., 2000. Attacking malicious code: A report to the Infosec Research Council.
IEEE, 17(5), pp. 33-41.
O'Kane, P., Sezer, S. & McLaughlin, K., 2011. Obfuscation: The Hidden Malware. Security & Privacy, IEEE ,
9(5), pp. 41-47.
OWASP , 2009. Trojan Horse. [Online]
Available at: https://www.owasp.org/index.php/Trojan_Horse
[Accessed 23 11 2013].
Panko, R. R., 2004. Corporate Computer and Network Security. s.l.:Pearson Education Lmited.
Richardson, R., 2011. CSI 2010/2011 Computer Crime and Security Survey. Computer Security Institute,
Volume 1, pp. 1- 44.
Security Views , 2007. Malware. Computers & Security, 26(4), pp. 188-200.
Shanmugapriya, R., 2013. A study of network security using penetration testing. In: Information
Communication and Embedded Systems (ICICES), 2013 International Conference on. s.l.:s.n., pp. 371-374.
Spitzner, L., 2003. Honeypots: Catching the insider threat. In: Computer Security Applications
Conference, 2003. Proceedings. 19th Annual. :IEEE, pp. 170-179.
Stiawan, D., Abdullah, A. H. & Idris, M. Y., 2010. The Trends of Intrusion Prevention System Network. In:
Education Technology and Computer (ICETC), 2010 2nd International Conference on. s.l.:IEEE, pp. V4-
217.
Sumner, M., 2009. Information Security Threats: A Comparative Analysis of Impact, Probability, and
Preparedness. Information Systems Management, 26(1), pp. 2-12.
Symantec Corporation, 2013. Information Security Threat Report, s.l.: Avialable on
http://www.infosecurity-magazine.com/.
Taylor, P. A., 1999. Hackers: crime in the digital sublime. :Psychology Press.
Wang, J., 2009. Network Security Overview. In: Computer network security: theory and practice.
Springer, p. 26.
Wilhelm, T., 2009. Why Stay Ethical?. In: Professional penetration testing: Creating and operating a
formal hacking lab. :Syngress, pp. 15-16.
Williamson, D., 2004. Deconstructing malware: what it is and how to stop it. Information Security
Technical Report, 9(2), pp. 27-34.