July 14, 2013

2.4.7 Threat Awareness

Threat Awareness

A lawsuit, brought by Sidekick customer Maureen Thompson, alleges T-Mobile, Microsoft and Microsoft subsidiary Danger failed to follow even the most basic data protection principles and as a result the safety, security and availability of the data belonging to users was compromised. – goo.gl/o3VRe
Global Payments, a third-party payments processor to Visa and MasterCard credit and debit cards, reiterated that while customer data may be at risk, the data breach has been "contained to the best of our ability." Overall, 1.5 million accounts may have been affected. – goo.gl/9z6EH
Malware, (unauthorized and malicious software) that was secretly installed on servers in Hannaford Bros. Co.'s supermarkets across the Northeast and in Florida allowed credit and debit card numbers to be stolen as shoppers swiped their cards at checkout line machines. This massive data breach compromised up to 4.2 million credit and debit cards. – goo.gl/ZzvZn
The Indiana Family and Social Services Administration (FSSA) is in the process of notifying some FSSA clients that some of their personal information may have been accidently disclosed to other clients. The programming error was made on April 6, 2013. The error was discovered on May 10, 2013 and it was corrected on May 21, 2013. – goo.gl/HTKIe

A threat is a condition that might result in a breach of security and can then possibly cause harm. The National Information Assurance Glossary defines threat as “Any circumstance or event with the potential to adversely impact an Information System (IS) through unauthorized access, destruction, disclosure, modification of data, and/or denial of service.”

Threats to critical information systems are evolving and growing. A threat can be either unintentional or intentional:
  • Unintentional threats can be caused by a computer hardware or software malfunction, flaws in security or privacy policy definitions, incorrect maintenance procedures, errors made by administrators and integrators or natural disasters that inadvertently disrupts systems.
  • Intentional threats result from the possibility of an attack by a threat agent and can come from a variety of sources (e.g., an individual attacker or a criminal organization). These sources include business competitors, corrupt employees, criminal groups, hackers/crackers, and foreign nations engaged in espionage and information warfare.
According to the Government Accountability Office (GAO), “The number of cyber incidents affecting computer systems and networks continues to rise. Over the past 6 years, the number of cyber incidents reported by federal agencies to the U.S. Computer Emergency Readiness Team (US-CERT) has increased from 5,503 in fiscal year 2006 to 48,562 in fiscal year 2012, an increase of 782 percent.” This increased awareness can be considered a good thing, as growing awareness implies improved detection.

Sources of threats include:
  • Bot-network – a network of compromised, remotely controlled systems used to coordinate attacks and distribute phishing schemes, spam, and malware attacks.
  • Business competitors – a competing organization may seek to obtain sensitive information to improve their competitive advantage
  • Hackers/Crackers – skilled and unskilled (using pre-existing attack scripts and protocols) break into networks for the challenge, bragging rights, revenge, stalking, monetary gain, political activism, etc.
  • Individuals or small groups – using techniques such as phishing, spam, spyware, denial of service and other attack protocols.
  • Insiders – disgruntled and/or corrupted organization insiders including employees and contractors that have inside knowledge of the system. The compromise could be intentional or it could be unintentional caused by careless or poorly trained personnel.
  • Nations and foreign corporations – using state or corporate resources (finance, staff, infrastructure, training, etc.) to direct attack for information gathering, espionage and disruption.
Attacks vectors can include: Phishing attacks, Zero-day exploits, New viruses.
  • Phishing attacks
    • The act of attempting to acquire financial or other confidential information such as usernames, passwords, and credit card details by masquerading as a legitimate entity and typically done via e-mail. The e-mail might direct the user to a fake web site whose main purpose is to steal the user’s information.
  • Zero-day exploits
    • A zero-day exploit is an attack that takes advantage of a previously unknown vulnerability in a computer system on the day that the vulnerability becomes generally known. This means that the developers have no time (zero days) to identify and patch the vulnerability. There are “zero days” between the time the vulnerability is discovered and when the first attack occurs.
  • New viruses
    • A virus is a computer program that can copy itself and infect a computer without permission or knowledge of the target user.

      Similar to zero-day exploits, “new viruses” are newly created viruses that might infect systems before anti-virus programs and other virus fingerprinting tools are updated to detect and disinfect them.
Threat AwarenessEffective threat awareness measures involve knowledge of possible threats and an effort to stay up-to-date on the varied and evolving threat sources. In addition to continuous education, it is important to constantly scan and monitor your network to try to intercept threats before they can harm your systems.

Here are just a few sources for improving your threat awareness:
  • United States Computer Emergency Readiness Team – US-CERT (www.us-cert.gov)
    US-CERT's vision is to be a trusted global leader in cybersecurity — collaborative, agile, and responsive in a complex environment.
  • Common Weakness Enumeration – CWE (cwe.mitre.org)
    A community developed dictionary of software weakness types.
  • The SANS Institute – SANS (www.sans.org)
    A source for information security training and security certifications. SANS develops, maintains, and provides a collection of research documents about various aspects of information security, and operates the Internet's early warning system - the Internet Storm Center.
  • Metasploit Project (www.metasploit.com)
    The Metasploit Project is a computer security project which provides information about security vulnerabilities and aids in penetration testing and IDS signature development. A collaboration of the open source community and Rapid7. Metasploit is a penetration testing software, that helps verify vulnerabilities and manage security assessments.
  • Privacy Rights Clearinghouse (privacyrights.org)
    The mission is to engage, educate and empower individuals to protect their privacy. They identify trends and communicate findings to advocates, policymakers, industry, media and consumers.
  • U.S. Department of Defense – Defense Security Service (DSS) (www.dss.mil/isp/count_intell/count_train_mat.html)
    DSS provides the military services, Defense Agencies, federal agencies and cleared contractor facilities with security support services.
  • Various Security-Related Blogs:
    • labs.alienvault.com/labs
    • blogs.technet.com/b/mmpc – Microsoft Malware Protection Center
    • www.zdnet.com/blog/security – Stay on top of the latest in software/hardware security research, vulnerabilities, threats and computer attacks.