2. The story so far …
• Security requirements:
– Confidentiality
– Integrity
– Availability
• Information related assets:
– data
– software
– hardware
• Need to be protect assets from harm
• Threat: possible source of harm to an asset
Computer Security Management
Page 2
3. Remember definitions?
• Harm
– Something happens to an asset that we do not want to happen
• Threat
– Possible source of harm
• Attack
– Threatening event (instance of a threat)
• Attacker
– Someone or something that mounts a threat
• Vulnerability
– Weakness in the system (asset) that makes an attack more likely to successes
• Risk
– Possibility that a threat will affect the business or organisation
Computer Security Management
Page 3
4. Last week …
• Six basic types of harm
• A threat is a possible source of harm
• A threat exploits vulnerabilities in a system
• We need to satisfy our information security requirements
• Need to put controls in place to defend ourselves
Computer Security Management
Page 4
5. Defend against whom?
• Malicious entity (human or computer program) that tries to
compromise information security requirements (CIA)
• Might attempt to:
– discover secrets,
– corrupt data,
– spoof the identity of a message sender or receiver,
– or force system downtime.
• Attacker differ in
– Motivation
– Ability
– Resources
– Readiness to assume risk
• We need to know what type of attacker we are facing to select
effective security measures
Computer Security Management
Page 5
6. Attack sophistication vs. attacker technical
Auto Coordinated
knowledge Cross site scripting Tools
“stealth” / advanced
High scanning
techniques
packet spoofing denial of service Staged
sniffers distributed
attack tools
Intruder sweepers www attacks
Knowledge
automated probes/scans
GUI
back doors
disabling audits network mgmt. diagnostics
hijacking
burglaries sessions
Attack exploiting known vulnerabilities
Sophistication
password cracking
self-replicating code
password guessing
Intruders
Low
1980 1985 1990 1995 2000
Computer Security Management
Page 6
7. Types of attackers (A. Sasse, based on
Schneier, 2003)
• Opportunist
• Emotional attacker
• Cold intellectual attacker
• Terrorist
• Insider
Computer Security Management
Page 7
8. Opportunist
• Most common type of attacker
• Spots and seizes an opportunity
• Convinced they will not get caught
• Highly risk-averse
Computer Security Management
Page 8
9. Emotional attacker
• Wants to make a statement
• Accepts high level of risk
• Motivation:
– Revenge
– Just for fun
– Cries for help
Computer Security Management
Page 9
10. Cold intellectual attacker
• Professional who attacks for personal material gain
• High skill level
• Has resources available
• Highly risk-aversive
• Might use insiders to carry out attacks
Computer Security Management
Page 10
11. Terrorist
• Wants to make a statement or intimidate
• Wants to gain visibility
• Accepts high risk
• Not deterred by sophisticated countermeasures
• Might see countermeasures as challenge
Computer Security Management
Page 11
12. Insider
• Employees are still one of the biggest threats to corporate IT
security both through malicious and accidental actions.
• “Statistics show that 70 per cent of fraud is perpetrated by staff
rather than by external people or events. We invest up to 90 per
cent of our security resources on controls and monitoring against
internal threats." (Mitsubishi UFJ Securities International, 2008)
• Insider are often tricked into the attack by a third party, e.g.
through social engineering
Computer Security Management
Page 12
13. Insider (2)
• Unwitting pawn for another insider or outsider
• Insider intents to perpetrate or facilitate the attack, alone or in
collusion with other parties, e.g.
– Forced to carry out the attack, e.g. through blackmail, hostage
– Groomed to carry out the attack, e.g. lonely person befriended by somebody
they will now do anything for
– Motivated by expected personal gain
Computer Security Management
Page 13
14. Insider attackers
• Age 18-59
• 42% female
• Variety of positions
– 31% service
– 23% admin
– 19% professional
– 23% technical
• 17% have sysadmin/root access
• 15% regarded as difficult to manage
• 19% perceived by others as disgruntled employees
• 27% had come to attention of a supervisor and/or co-worker prior
to the incident
• 27% had prior arrests
Computer Security Management
Page 14
15. Types of insider attacks
• Leaking of information:
– insider copies information and using it for own purpose
• Data or service theft:
– Removal of data or software
• Tampering with data or system
– Changing data or software in the system or tampering with procedures
• Sabotage
– Changing data or software in the system so that the system does not work
properly (might not be immediately apparent)
• Vandalism
– Immediately visible and usually aimed to stop the system from working
Computer Security Management
Page 15
16. Precursors of insider attacks
• Deliberate markers
– To make a statement
• Meaningful errors
– Attacker makes error whilst trying to cover their tracks by deleting logfiles
• Preparatory behaviour
– Collecting information, testing countermeasures, checking permissions
• Correlated usage pattern
– might reveal a systematic attempt to collect information
• Verbal behaviour
– E.g. hints to friends, threats, unhappiness with the organisation …
• Personality traits
– Introversion, loners …
Computer Security Management
Page 16
17. Motivation
• Material gain
• Revenge
• Improve position within the organisation
• Improve esteem in the eyes of others
• Thrill-seeking
Computer Security Management
Page 17
18. Means of attacks
• In 87% of the cases: insider employed simple, legitimate user
commands to carry out attack
• In 78% of the cases: authorised users
• In 43% of the cases: attacker used their own username and
password!
• 26% used someone else’s account (unattended terminal with open
user account or social engineering)
• 70% exploited vulnerabilities in systems and/or procedures
• 39% were unaware of organisation’s technical security measure!
Computer Security Management
Page 18