Search in ISMS Guides


Saturday, August 4, 2007

Defining Information Threats

Felix Mohan, CEO - SecureSynergy

Enterprise Information Infrastructures have become critical 'centres of gravity'. A collapse of the information infrastructure can lead to collapse of the enterprise. This makes them attractive targets for potential adversaries.

Potential adversaries could either be malicious or non-malicious. Among the malicious adversaries are nation states, hackers (including phreakers, crackers, trashers, and pirates), terrorists/cyber-terrorists, organized crime, other criminal elements, industrial competitors, and disgruntled employees. On the other hand, careless or poorly trained employees are non-malicious adversaries, who, either through lack of training, lack of concern, or lack of attentiveness pose a threat to information systems.

Adversaries employ attack techniques that could be classified under passive, active, insider, close-in or distribution attacks. Passive attacks involve passive monitoring of communications sent over public media, and include monitoring plaintext, decrypting weakly encrypted traffic, password sniffing, and traffic analysis. Countermeasures against these attacks include the use of VPNs, cryptographically protected networks, and use of protected distribution networks (e.g. physically protected/alarmed wire-line distribution network).

Active attacks include attempts to:
:: Circumvent or break security features
:: Introduce malicious code (such as computer viruses)
:: Subvert data or system integrity
:: Modify data in transit
:: Replay (insertion of data)
:: Hijack sessions
:: Masquerade as authorised user
:: Exploit vulnerabilities in software that runs with system privileges
:: Exploit network trust
:: Insert and exploit malicious code (Trojans, backdoors, virus, worms etc)
:: Set in denial of service
Typical countermeasures include:
:: Strong enclave boundary protection (e.g., firewalls and guards)
:: Access control based on authenticated identities for network management interactions
:: Protected remote access
:: Quality security administration
:: Automated virus detection tools
:: Audit
:: Intrusion detection

In close-in attacks an unauthorized individual gains close physical proximity to networks, systems, or facilities for the purpose of modifying, gathering, or denying access to, information. Gaining such proximity is accomplished through surreptitious entry, open access, or both. Close-in attacks include modification of data, information gathering, system tampering, and physical destruction of the local system.

A person who either is authorized to be within the physical boundaries of the information security processing system or has direct access to the information security processing system performs insider attacks. Insider attacks can be malicious, and non-malicious (caused due to carelessness or ignorance of the user). The non-malicious case is considered an attack because of the security consequences of the user's action.

Insider attacks are often the most difficult to detect and to defend against. Sources of insider attacks can include maintenance staff working during after-working hours, authorized (privileged to login) system users, and system administrators with malicious intent. Often it is difficult to prevent individuals who have legitimate access to a system from transgressing into more private areas where they have no authorization. Insider attacks may focus on compromise of data or access and can include modification of system protection measures. A malicious insider may use covert channels to signal private information outside of an otherwise protected network.

Distribution attacks maliciously modify hardware or software between the time of its production by a developer and its installation, or when it is in transit from one site to another. These attacks, that include chipping, are usually complex requiring industry-government collusion, and are used as information warfare initiatives by nation states.

Considering the myriad of techniques that potential adversaries have at their disposal to cause harm; and considering the inexorable increase in the dependency of business processes on information systems, implementing robust information security controls in the enterprise is no longer a matter of choice!

No comments: