Isys20261 lecture 03

Computer Security Management
(ISYS20261)
Lecture 3 – Attackers

Module Leader: Dr Xiaoqi Ma
School of Science and Technology

The story so far …

• Security requirements:
– Confidentiality
– Integrity
– Availability

• Information related assets:
– data
– software
– hardware

• Need to be protect assets from harm
• Threat: possible source of harm to an asset

Page 2

Remember definitions?

• Harm
– Something happens to an asset that we do not want to happen

• Threat
– Possible source of harm

• Attack
– Threatening event (instance of a threat)

• Attacker
– Someone or something that mounts a threat

• Vulnerability
– Weakness in the system (asset) that makes an attack more likely to successes

• Risk
– Possibility that a threat will affect the business or organisation

Page 3

Last week …

• Six basic types of harm
• A threat is a possible source of harm
• A threat exploits vulnerabilities in a system
• We need to satisfy our information security requirements
• Need to put controls in place to defend ourselves

Page 4

Defend against whom?

• Malicious entity (human or computer program) that tries to
compromise information security requirements (CIA)
• Might attempt to:
– discover secrets,
– corrupt data,
– spoof the identity of a message sender or receiver,
– or force system downtime.

• Attacker differ in
– Motivation
– Ability
– Resources
– Readiness to assume risk

• We need to know what type of attacker we are facing to select
effective security measures
Page 5

Attack sophistication vs. attacker technical
Auto Coordinated
knowledge Cross site scripting Tools
“stealth” / advanced
High scanning
techniques
packet spoofing denial of service Staged

sniffers distributed
attack tools
Intruder sweepers www attacks
Knowledge
automated probes/scans
GUI
back doors
disabling audits network mgmt. diagnostics
hijacking
burglaries sessions
Attack exploiting known vulnerabilities
Sophistication
password cracking
self-replicating code
password guessing
Intruders
Low
1980 1985 1990 1995 2000
Page 6

Types of attackers (A. Sasse, based on
Schneier, 2003)
• Opportunist
• Emotional attacker
• Cold intellectual attacker
• Terrorist
• Insider

Page 7

Opportunist

• Most common type of attacker
• Spots and seizes an opportunity
• Convinced they will not get caught
• Highly risk-averse

Page 8

Emotional attacker

• Wants to make a statement
• Accepts high level of risk
• Motivation:
– Revenge
– Just for fun
– Cries for help

Page 9

Cold intellectual attacker

• Professional who attacks for personal material gain
• High skill level
• Has resources available
• Highly risk-aversive
• Might use insiders to carry out attacks

Page 10

Terrorist

• Wants to make a statement or intimidate
• Wants to gain visibility
• Accepts high risk
• Not deterred by sophisticated countermeasures
• Might see countermeasures as challenge

Page 11

Insider

• Employees are still one of the biggest threats to corporate IT
security both through malicious and accidental actions.
• “Statistics show that 70 per cent of fraud is perpetrated by staff
rather than by external people or events. We invest up to 90 per
cent of our security resources on controls and monitoring against
internal threats." (Mitsubishi UFJ Securities International, 2008)
• Insider are often tricked into the attack by a third party, e.g.
through social engineering

Page 12

Insider (2)

• Unwitting pawn for another insider or outsider
• Insider intents to perpetrate or facilitate the attack, alone or in
collusion with other parties, e.g.
– Forced to carry out the attack, e.g. through blackmail, hostage
– Groomed to carry out the attack, e.g. lonely person befriended by somebody
they will now do anything for
– Motivated by expected personal gain

Page 13

Insider attackers
• Age 18-59
• 42% female
• Variety of positions
– 31% service
– 23% admin
– 19% professional
– 23% technical

• 17% have sysadmin/root access
• 15% regarded as difficult to manage
• 19% perceived by others as disgruntled employees
• 27% had come to attention of a supervisor and/or co-worker prior
to the incident
• 27% had prior arrests
Page 14

Types of insider attacks

• Leaking of information:
– insider copies information and using it for own purpose

• Data or service theft:
– Removal of data or software

• Tampering with data or system
– Changing data or software in the system or tampering with procedures

• Sabotage
– Changing data or software in the system so that the system does not work
properly (might not be immediately apparent)

• Vandalism
– Immediately visible and usually aimed to stop the system from working

Page 15

Precursors of insider attacks

• Deliberate markers
– To make a statement

• Meaningful errors
– Attacker makes error whilst trying to cover their tracks by deleting logfiles

• Preparatory behaviour
– Collecting information, testing countermeasures, checking permissions

• Correlated usage pattern
– might reveal a systematic attempt to collect information

• Verbal behaviour
– E.g. hints to friends, threats, unhappiness with the organisation …

• Personality traits
– Introversion, loners …

Page 16

Motivation

• Material gain
• Revenge
• Improve position within the organisation
• Improve esteem in the eyes of others
• Thrill-seeking

Page 17

Means of attacks

• In 87% of the cases: insider employed simple, legitimate user
commands to carry out attack
• In 78% of the cases: authorised users
• In 43% of the cases: attacker used their own username and
password!
• 26% used someone else’s account (unattended terminal with open
user account or social engineering)
• 70% exploited vulnerabilities in systems and/or procedures
• 39% were unaware of organisation’s technical security measure!

Page 18

Isys20261 lecture 03

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (16)

Similaire à Isys20261 lecture 03

Similaire à Isys20261 lecture 03 (20)

Plus de Wiliam Ferraciolli

Plus de Wiliam Ferraciolli (20)

Isys20261 lecture 03