http://www.sans.org/reading-room/whitepapers/awareness/ghosts-machine-who-why-attacks-information-security-914?show=ghosts-machine-who-why-attacks-information-security-914&cat=awareness
In this 2002 report several real world occurrences were cited. I wish to focus on the who's for the moment...
They describe ten archetypes:
1) "The Explorer", probably the most famous example and therefore the first that comes to mind, however they are so few and far between, which is what makes them so remarkable. They are not what poses the real threat to organizations, not to mention the fact that such highly skilled persons are likely to make an honest living and avoid criminality that would threaten their livelihood.
2) "The Disgruntled Worker" under which heading they provide an example of a British intelligence leak. A more modern example of which would be the world famous Edward Snowden. These types of individuals are particularly difficult to protect against and the spiteful nature of their attacks are particularly damaging.
3) "The Spy" in this section what I find noteworthy about the real world example given is that there were still boots on the ground. The attacker (France) made use of physical persons infiltrating the target organization. I am of the opinion that reasonable measures can be taken on the information security side to mitigate these types of loses.
4) "The Terrorist" the takeaway I find in this example is not to underestimate what might be valuable information to some people.
5) "The Thief" while this may sound like your concern as you read the article you realize that it is another type of internal threat, against which reasonable efforts can be taken to reduce the opportunity to occur.
6) "The Hacktivist" I am of the opinion that if you are realistically concerned over this type of threat to your organization then you have larger concerns than this type of attack.
7) "The Script Kiddie" the weakest and most common of attackers, using the hand-me-downs from more capable individuals after the the real value of the exploit has already been detected, they can frequently be blocked by a prompt patching schedule.
8) "Hacker For Hire" these are the practical external threats, and what is worth noting is that they are not targeting a weakness and anyone whom has it but instead are targeting you and trying to find out what weaknesses you have (whether they are working for or against you).
9) "The Competition" the authors refer back to their example with the French, while it is worth recognizing the difference in motivation it is also worth acknowledging that companies would work through an agent that could be characterized by one of these other archetypes.
10) "Enemy Countries" countries, like companies, and not themselves a person and therefore also work through intermediaries. While I accept the importance of recognizing entity and their motivations I want to focus on the individuals that perpetrate attacks.
So lets look at these examples again and filter down, ignoring motivation and goals, lets focus on tactics.
1) "The Savant" comes in blind, looking for a challenge.
2) "Internal Threat" uses their existing access to take revenge.
3) "Infiltration" uses deception to gain access.
4) Nondescript cautionary warning not to underestimate the value of information.
5) "Internal Threat" using existing access for personal gain.
6) "External Threat" public defacement targeting outermost infrastructure.
7) "Amateurs" the bulk of attackers using exploits discovered by others.
8) "Professionals" these external attackers against which it feels we spend the most time worrying about. Though, if we can stop them then we can stop the script kiddies and mitigate others.
9 & 10) "Resourced Organizations" are not individuals and therefore work through one or more of the others in this list.
Which leaves us with six categories of individuals that we can group as internal vs external:
Internal
1) The Disgruntled Worker and The Thief, historically, these are the most damaging both to a companies reputation and their bottom line.
2) The Spy, from an information security perspective I would say that you can take preventative measures to mitigate potential losses, but the burden to really preventing this one falls on human resources and background checks.
External
3) The Hacktivist, a responsible media helps reduce the motivation behind this type of criminal, but we should be able to prevent it from occurring since they are externally attacking systems over which we have total control.
4) Hacker For Hire, these individuals make their living, for better or worse, dealing in the practice of information security. They are the reason we have firewalls and gateways, the only way to combat them is to have our own professionals.
5) Script Kiddies, if we can stop the professionals then these should be no sweat.
6) The Explorer, while capable and dangerous this type of attacker is characterized as being benign and ultimately represents the unknown-unknown. Pretend for a moment that someone got in, what can they get, how many layers must they penetrate to reach something sensitive, what is the shortest route?
My point is that even though most attackers are trying to get in and we spend most of our time and effort to stop them, the most dangerous threats physically walk through the front door every day.
http://www.pbs.org/wgbh/pages/frontline/shows/hackers/whoare/testimony.html
http://www.informationweek.com/interview-with-a-convicted-hacker-robert-moore-tells-how-he-broke-into-routers-and-stole-voip-services/d/d-id/1059631
http://blogs.cisco.com/security/life-after-anonymous-interview-with-a-former-hacker/
Not only are the greatest threats walking through the front door, so are the greatest weaknesses. While social hacking may be on the decline it is being replaced by opportunity provided by lack of information security. While not everyone can be expected to be a security expert, companies for which computers are central to their business model can not expect to get away without addressing security concerns, while more and more computers and internet based communications are required in all industries just to compete.
http://www.computerweekly.com/opinion/Security-Think-Tank-ISFs-top-security-threats-for-2014
New threats and trends, much in the same sense that the necessity of the home computer eventually let to opportunities for bot-nets and theft of PII directly from individuals, the smartphone is the new PC, but the new opportunity created is piggy backing, to penetrate the network of the company for which the host works. In a sense, the user and their phone is the infected host, unaffected by the virus they spread into their companies' networks. At least that is my prediction, that penetrations will come from an internal weakness more so than vulnerabilities in the network surface.
There seems to also be significant concern over cloud infrastructure, but as long as the companies hosting the clouds are responsible I see little new opportunity. Notably, a large part of that responsibility is enforcing security of clients connecting to them. That said, if they are not responsible then the party will come abruptly to an end.
No comments:
Post a Comment