Threat (computer)
Encyclopedia
In Computer security
a threat is a possible danger that might exploit a vulnerability
to breach security and thus cause possible harm.
A threat can be either "intention
al" (i.e., intelligent; e.g., an individual cracker or a criminal organization) or "accident
al" (e.g., the possibility of a computer malfunctioning, or the possibility of an "act of God" such as an earthquake
, a fire
, or a tornado
) or otherwise a circumstance, capability, action, or event.
defines threat as:
A more comprehensive definition, tied to an Information assurance
point of view, can be found in "Federal Information Processing Standards (FIPS) 200, Minimum Security Requirements for Federal Information and Information Systems" by NIST of United States of America
National Information Assurance Glossary
defines threat as:
ENISA gives a similar definition:
The Open Group
defines threat in as:
Factor Analysis of Information Risk
defines threat as:
National Information Assurance Training and Education Center
gives a more articulated definition of threat:
A resource (both physical or logical) can have one or more vulnerabilities
that can be exploited by a threat agent in a threat action. The result can potentially compromises the Confidentiality
, Integrity
or Availability
properties of resources (potentially different that the vulnerable one) of the organization and others involved parties (customers, suppliers).
The so called CIA triad is the basis of Information Security
.
The attack
can be active when it attempts to alter system resources or affect their operation: so it compromises Integrity or Availability. A "passive attack" attempts to learn or make use of information from the system but does not affect system resources: so it compromises Confidentiality.
OWASP
(see figure) depicts the same phenomenon in slightly different terms: a threat agent through an attack vector exploits a weakness (vulnerability) of the system and the related security controls
causing a technical impact on an IT resource (asset) connected to a business impact.
A set of policies concerned with information security management, the Information Security Management Systems (ISMS), has been developed to manage, according to Risk management
principles, the countermeasures
in order to accomplish to a security strategy set up following rules and regulations applicable in a country. Countermeasures are also called Security controls
; when applied to the transmission of information are named security services
.
The overall picture represents the risk factors
of the risk scenario.
The widespread of computer dependencies and the consequent raising of the consequence of a successful attack, led to a new term cyberwarfare.
It should be noted that nowadays the many real attacks exploit Psychology
at least as much as technology. Phishing
and Pretexting and other methods are called social engineering
techniques. The Web 2.0
applications, specifically Social network service
s, can be a mean to get in touch with people in charge of system administration or even system security, inducing them to reveal sensitive information. One famous case is Robin Sage
.
The most widespread documentation on Computer insecurity
is about technical threats such computer virus
, trojan
and other malware
, but a serious study to apply cost effective countermeasures
can only be conducted following a rigorous IT risk
analysis in the framework of an ISMS: a pure technical approach will let out the psychological attacks, that are increasing threats.
Threats classification
Threats can be classified according to their type and origin:
Note that a threat type can have multiple origins.
Threat model
Threat classification
Microsoft
has proposed a threat classification called STRIDE
, from the initial of threat categories:
Microsoft used to risk rating security threats using five categories in a classification called DREAD: Risk assessment model
. The model is considered obsolete by Microsoft.
The categories were:
The DREAD name comes from the initials of the five categories listed.
The spread over a network of threats can led to dangerous situations. In military and civil fields, threat level as been defined: for example INFOCOM
is a threat level used by USA. Leading antivirus software
vendors publish global threat level on their websites
Threat Agents
Threat Agents
Threat agents can take one or more of the following actions against an asset:
It’s important to recognize that each of these actions affects different assets differently, which drives the degree and
nature of loss. For example, the potential for productivity loss resulting from a destroyed or stolen asset depends upon
how critical that asset is to the organization’s productivity. If a critical asset is simply illicitly accessed, there is no direct
productivity loss. Similarly, the destruction of a highly sensitive asset that doesn’t play a critical role in productivity won’t
directly result in a significant productivity loss. Yet that same asset, if disclosed, can result in significant loss of
competitive advantage or reputation, and generate legal costs. The point is that it’s the combination of the asset and
type of action against the asset that determines the fundamental nature and degree of loss.
Which action(s) a threat agent takes will be driven primarily by that agent’s motive (e.g., financial gain, revenge,
recreation, etc.) and the nature of the asset. For example, a threat agent bent on financial gain is less likely to destroy a
critical server than they are to steal an easily pawned asset like a laptop.
It is important to separate the concept of the event that a threat agent get in contact with the asset (even virtually, i.e. through the network) and the event that a threat agent act against the asset.
OWASP
collects a list of potential threat agents in order to prevent system designers and programmers insert vulnerabilities in the software.
The term Threat Agent is used to indicate an individual or group that can manifest a threat. It is fundamental to identify who would want to exploit the assets of a company, and how they might use them against the company.
Threat Agent = Capabilities + Intentions + Past Activities
These individuals and groups can be classified as follows:
Threat Communities
Threat Communities
Threat action
Threat analysis
Threat consequence
Threat consequence is a security violation that results from a threat action.
Includes disclosure, deception, disruption, and usurpation.
The following subentries describe four kinds of threat consequences, and also list and describe the kinds of threat actions that cause each consequence.
Threat actions that are accidental events are marked by "*".
"(Unauthorized) Disclosure
" (a threat consequence)
"Deception
" (a threat consequence):
"Disruption
" (a threat consequence):
"Usurpation" (a threat consequence):
Threat management
Threats should be managed by operating an ISMS, performing all the IT risk management
activities foreseen by laws, standards and methodologies.
Very large organizations tend to adopt business continuity management plans in order to protect, maintain and recover business-critical processes and systems. Some of these plans foreseen to set up computer security incident response team (CSIRT
) or computer emergency response team (CERT)
There are some kind of verification of the threat management process:
Most organizations perform a subset of these steps, adopting countermeasures
based on a non systematic approach: Computer insecurity
studies the battlefield of computer security exploits and defences that results.
Information security
awareness generates quite a large business: (see the :category:Computer security companies).
Countermeasures may include tools such as firewalls
, intrusion detection system and anti-virus software, Physical Security
measures, policies and procedures such as regular backups and configuration hardening, training such as security awareness education.
A lot of software has been developed to deal with IT threats:
Threat literature
See also
External links
Computer security
Computer security is a branch of computer technology known as information security as applied to computers and networks. The objective of computer security includes protection of information and property from theft, corruption, or natural disaster, while allowing the information and property to...
a threat is a possible danger that might exploit a vulnerability
Vulnerability (computing)
In computer security, a vulnerability is a weakness which allows an attacker to reduce a system's information assurance.Vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw...
to breach security and thus cause possible harm.
A threat can be either "intention
Intention
Intention is an agent's specific purpose in performing an action or series of actions, the end or goal that is aimed at. Outcomes that are unanticipated or unforeseen are known as unintended consequences....
al" (i.e., intelligent; e.g., an individual cracker or a criminal organization) or "accident
Accident
An accident or mishap is an unforeseen and unplanned event or circumstance, often with lack of intention or necessity. It implies a generally negative outcome which may have been avoided or prevented had circumstances leading up to the accident been recognized, and acted upon, prior to its...
al" (e.g., the possibility of a computer malfunctioning, or the possibility of an "act of God" such as an earthquake
Earthquake
An earthquake is the result of a sudden release of energy in the Earth's crust that creates seismic waves. The seismicity, seismism or seismic activity of an area refers to the frequency, type and size of earthquakes experienced over a period of time...
, a fire
Fire
Fire is the rapid oxidation of a material in the chemical process of combustion, releasing heat, light, and various reaction products. Slower oxidative processes like rusting or digestion are not included by this definition....
, or a tornado
Tornado
A tornado is a violent, dangerous, rotating column of air that is in contact with both the surface of the earth and a cumulonimbus cloud or, in rare cases, the base of a cumulus cloud. They are often referred to as a twister or a cyclone, although the word cyclone is used in meteorology in a wider...
) or otherwise a circumstance, capability, action, or event.
Definitions
ISO 27005ISO/IEC 27005
ISO/IEC 27005, part of a growing family of ISO/IEC ISMS standards, the 'ISO/IEC 27000 series', is an information security standard published by the International Organization for Standardization and the International Electrotechnical Commission...
defines threat as:
- A potential cause of an incident, that may result in harm of systems and organization
A more comprehensive definition, tied to an Information assurance
Information Assurance
Information assurance is the practice of managing risks related to the use, processing, storage, and transmission of information or data and the systems and processes used for those purposes...
point of view, can be found in "Federal Information Processing Standards (FIPS) 200, Minimum Security Requirements for Federal Information and Information Systems" by NIST of United States of America
United States
The United States of America is a federal constitutional republic comprising fifty states and a federal district...
- Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, or individuals through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denialDenial of requestDenial of request is the refusal of one party to grant the request of another. Some acts that can be considered denial may include the refusal of a person or a group of people representing a company, organization, or government agency to provide what a client or one seeking to be a client has...
of service. Also, the potential for a threat-source to successfully exploit a particular information system vulnerability.
National Information Assurance Glossary
National Information Assurance Glossary
Committee on National Security Systems Instruction No. 4009, National Information Assurance Glossary, published by the United States federal government, is an unclassified glossary of Information security terms intended to provide a common vocabulary for discussing Information Assurance...
defines threat as:
- Any circumstance or event with the potential to adversely impact an IS through unauthorized access, destruction, disclosure, modification of data, and/or denial of service.
ENISA gives a similar definition:
- Any circumstance or event with the potential to adversely impact an asset [G.3] through unauthorized access, destruction, disclosure, modification of data, and/or denial of service.
The Open Group
The Open Group
The Open Group is a vendor and technology-neutral industry consortium, currently with over three hundred member organizations. It was formed in 1996 when X/Open merged with the Open Software Foundation...
defines threat in as:
- Anything that is capable of acting in a manner resulting in harm to an asset and/or organization; for example, acts of God (weather, geological events,etc.); malicious actors; errors; failures.
Factor Analysis of Information Risk
Factor Analysis of Information Risk
Factor analysis of information risk is a taxonomy of the factors that contribute to risk and how they affect each other. It is primarily concerned with establishing accurate probabilities for the frequency and magnitude of loss events...
defines threat as:
- threats are anything (e.g., object, substance, human, etc.) that are capable of acting against an asset in a manner that can result in harm. A tornado is a threat, as is a flood, as is a hacker. The key consideration is that threats apply the force (water, wind, exploit code, etc.) against an asset that can cause a loss event to occur.
National Information Assurance Training and Education Center
National Information Assurance Training and Education Center
The National Information Assurance Training and Education Center is an American consortium of academic, industry, and government organizations to improve the literacy, awareness, training and education standards in Information Assurance...
gives a more articulated definition of threat:
- The means through which the ability or intent of a threat agent to adversely affect an automated system, facility, or operation can be manifest. Categorize and classify threats as follows: Categories Classes Human Intentional Unintentional Environmental Natural Fabricated 2. Any circumstance or event with the potential to cause harm to a system in the form of destruction, disclosure, modification or data, and/or denial of service. 3. Any circumstance or event with the potential to cause harm to the ADP system or activity in the form of destruction, disclosure, and modification of data, or denial of service. A threat is a potential for harm. The presence of a threat does not mean that it will necessarily cause actual harm. Threats exist because of the very existence of the system or activity and not because of any specific weakness. For example, the threat of fire exists at all facilities regardless of the amount of fire protection available. 4. Types of computer systems related adverse events (i. e. , perils) that may result in losses. Examples are flooding, sabotage and fraud. 5. An assertion primarily concerning entities of the external environment (agents); we say that an agent (or class of agents) poses a threat to one or more assets; we write: T(e;i) where: e is an external entity; i is an internal entity or an empty set. 6. An undesirable occurrence that might be anticipated but is not the result of a conscious act or decision. In threat analysis, a threat is defined as an ordered pair,
Phenomenology
The term "threat" relates to some other basic security terms as shown in the following diagram:
+ - - - - - - - - - - - - + + - - - - + + - - - - - - - - - - -+
| An Attack: | |Counter- | | A System Resource: |
| i.e., A Threat Action | | measure | | Target of the Attack |
| +----------+ | | | | +-----------------+ |
| | Attacker |<||<
| |
| | i.e., | Passive | | | | | Vulnerability | |
| | A Threat |<>||<> | |
| | Agent | or Active | | | | +-------|||-------+ |
| +----------+ Attack | | | | VVV |
| | | | | Threat Consequences |
+ - - - - - - - - - - - - + + - - - - + + - - - - - - - - - - -+
A resource (both physical or logical) can have one or more vulnerabilities
Vulnerability (computing)
In computer security, a vulnerability is a weakness which allows an attacker to reduce a system's information assurance.Vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw...
that can be exploited by a threat agent in a threat action. The result can potentially compromises the Confidentiality
Confidentiality
Confidentiality is an ethical principle associated with several professions . In ethics, and in law and alternative forms of legal resolution such as mediation, some types of communication between a person and one of these professionals are "privileged" and may not be discussed or divulged to...
, Integrity
Integrity
Integrity is a concept of consistency of actions, values, methods, measures, principles, expectations, and outcomes. In ethics, integrity is regarded as the honesty and truthfulness or accuracy of one's actions...
or Availability
Availability
In telecommunications and reliability theory, the term availability has the following meanings:* The degree to which a system, subsystem, or equipment is in a specified operable and committable state at the start of a mission, when the mission is called for at an unknown, i.e., a random, time...
properties of resources (potentially different that the vulnerable one) of the organization and others involved parties (customers, suppliers).
The so called CIA triad is the basis of Information Security
Information security
Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction....
.
The attack
Attack (computer)
In computer and computer networks an attack is any attempt to destroy, expose, alter, disable, steal or gain unauthorized access to or make unauthorized use of an asset.- IETF :Internet Engineering Task Force defines attack in RFC 2828 as:...
can be active when it attempts to alter system resources or affect their operation: so it compromises Integrity or Availability. A "passive attack" attempts to learn or make use of information from the system but does not affect system resources: so it compromises Confidentiality.
OWASP
OWASP
The Open Web Application Security Project is an open-source application security project. The OWASP community includes corporations, educational organizations, and individuals from around the world. This community works to create freely-available articles, methodologies, documentation, tools, and...
(see figure) depicts the same phenomenon in slightly different terms: a threat agent through an attack vector exploits a weakness (vulnerability) of the system and the related security controls
Security controls
Security controls are safeguards or countermeasures to avoid, counteract or minimize security risks.To help review or design security controls, they can be classified by several criteria, for example according to the time that they act, relative to a security incident:*Before the event, preventive...
causing a technical impact on an IT resource (asset) connected to a business impact.
A set of policies concerned with information security management, the Information Security Management Systems (ISMS), has been developed to manage, according to Risk management
Risk management
Risk management is the identification, assessment, and prioritization of risks followed by coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events or to maximize the realization of opportunities...
principles, the countermeasures
Countermeasure (computer)
In Computer Security a countermeasure is an action, device, procedure, or technique that reduces a threat, a vulnerability, or an attack by eliminating or preventing it, by minimizing the harm it can cause, or by discovering and reporting it so that corrective action can be taken.The definition is...
in order to accomplish to a security strategy set up following rules and regulations applicable in a country. Countermeasures are also called Security controls
Security controls
Security controls are safeguards or countermeasures to avoid, counteract or minimize security risks.To help review or design security controls, they can be classified by several criteria, for example according to the time that they act, relative to a security incident:*Before the event, preventive...
; when applied to the transmission of information are named security services
Security service (telecommunication)
Security service is a service, provided by a layer of communicating open systems, which ensures adequate security of the systems or of data transfers as defined by ITU-T X.800 Recommendation....
.
The overall picture represents the risk factors
Risk factor (computing)
In Information security, Risk factor is a collectively name for circumstances affecting the likelihood or the impact of a security risk.- FAIR :...
of the risk scenario.
The widespread of computer dependencies and the consequent raising of the consequence of a successful attack, led to a new term cyberwarfare.
It should be noted that nowadays the many real attacks exploit Psychology
Psychology
Psychology is the study of the mind and behavior. Its immediate goal is to understand individuals and groups by both establishing general principles and researching specific cases. For many, the ultimate goal of psychology is to benefit society...
at least as much as technology. Phishing
Phishing
Phishing is a way of attempting to acquire information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication. Communications purporting to be from popular social web sites, auction sites, online payment processors or IT...
and Pretexting and other methods are called social engineering
Social engineering (security)
Social engineering is commonly understood to mean the art of manipulating people into performing actions or divulging confidential information...
techniques. The Web 2.0
Web 2.0
The term Web 2.0 is associated with web applications that facilitate participatory information sharing, interoperability, user-centered design, and collaboration on the World Wide Web...
applications, specifically Social network service
Social network service
A social networking service is an online service, platform, or site that focuses on building and reflecting of social networks or social relations among people, who, for example, share interests and/or activities. A social network service consists of a representation of each user , his/her social...
s, can be a mean to get in touch with people in charge of system administration or even system security, inducing them to reveal sensitive information. One famous case is Robin Sage
Robin Sage
Robin Sage is a fictional American cyber threat analyst. She was created in December 2009 by Thomas Ryan, a security specialist and white hat hacker from New York...
.
The most widespread documentation on Computer insecurity
Computer insecurity
Computer insecurity refers to the concept that a computer system is always vulnerable to attack, and that this fact creates a constant battle between those looking to improve security, and those looking to circumvent security.-Security and systems design:...
is about technical threats such computer virus
Computer virus
A computer virus is a computer program that can replicate itself and spread from one computer to another. The term "virus" is also commonly but erroneously used to refer to other types of malware, including but not limited to adware and spyware programs that do not have the reproductive ability...
, trojan
Trojan horse (computing)
A Trojan horse, or Trojan, is software that appears to perform a desirable function for the user prior to run or install, but steals information or harms the system. The term is derived from the Trojan Horse story in Greek mythology.-Malware:A destructive program that masquerades as a benign...
and other malware
Malware
Malware, short for malicious software, consists of programming that is designed to disrupt or deny operation, gather information that leads to loss of privacy or exploitation, or gain unauthorized access to system resources, or that otherwise exhibits abusive behavior...
, but a serious study to apply cost effective countermeasures
Countermeasure (computer)
In Computer Security a countermeasure is an action, device, procedure, or technique that reduces a threat, a vulnerability, or an attack by eliminating or preventing it, by minimizing the harm it can cause, or by discovering and reporting it so that corrective action can be taken.The definition is...
can only be conducted following a rigorous IT risk
IT risk
Information technology risk, or IT risk, IT-related risk, is a risk related to information technology. This relatively new term due to an increasing awareness that information security is simply one facet of a multitude of risks that are relevant to IT and the real world processes it...
analysis in the framework of an ISMS: a pure technical approach will let out the psychological attacks, that are increasing threats.
Threats classification
Threats can be classified according to their type and origin:
- Type
- Physical damage
- fire
- water
- pollution
- natural events
- climatic
- seismic
- volcanic
- loss of essential services
- electrical power
- air conditioning
- telecommunication
- compromise of information
- eavesdropping,
- theft of media
- retrieval of discarded materials
- technical failures
- equipment
- software
- capacity saturation
- compromise of functions
- error in use
- abuse of rights
- denial of actions
- Physical damage
- Origin
- Deliberate: aiming at information asset
- spying
- illegal processing of data
- accidental
- equipment failure
- software failure
- environmental
- natural event
- loss of power supply
- Deliberate: aiming at information asset
Note that a threat type can have multiple origins.
Threat model
People can be interested in studying all possible threats that can:
- affect an asset,
- affect a software system
- are brought by a threat agent
Threat classification Microsoft
Microsoft
Microsoft Corporation is an American public multinational corporation headquartered in Redmond, Washington, USA that develops, manufactures, licenses, and supports a wide range of products and services predominantly related to computing through its various product divisions...
has proposed a threat classification called STRIDE
STRIDE (security)
STRIDE is a system developed by Microsoft for classifying computer security threats. It provides a mnemonic for security threats in six categories.The threat categories are:* Spoofing of user identity* Tampering* Repudiation...
, from the initial of threat categories:
- SpoofingSpoofing attackIn the context of network security, a spoofing attack is a situation in which one person or program successfully masquerades as another by falsifying data and thereby gaining an illegitimate advantage.- Spoofing and TCP/IP :...
of user identity - TamperingData securityData security is the means of ensuring that data is kept safe from corruption and that access to it is suitably controlled. Thus data security helps to ensure privacy. It also helps in protecting personal data. Data security is part of the larger practice of Information security.- Disk Encryption...
- RepudiationNon-repudiationNon-repudiation refers to a state of affairs where the purported maker of a statement will not be able to successfully challenge the validity of the statement or contract. The term is often seen in a legal setting wherein the authenticity of a signature is being challenged...
- Information disclosure (privacy breachData privacyInformation privacy, or data privacy is the relationship between collection and dissemination of data, technology, the public expectation of privacy, and the legal and political issues surrounding them....
or Data leak) - Denial of ServiceDenial-of-service attackA denial-of-service attack or distributed denial-of-service attack is an attempt to make a computer resource unavailable to its intended users...
(D.o.S.) - Elevation of privilegePrivilege escalationPrivilege escalation is the act of exploiting a bug, design flaw or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user...
Microsoft used to risk rating security threats using five categories in a classification called DREAD: Risk assessment model
DREAD: Risk assessment model
DREAD is part of a system for classifying computer security threats used at Microsoft. It provides a mnemonic for risk rating security threats using five categories.The categories are:* Damage - how bad would an attack be?...
. The model is considered obsolete by Microsoft.
The categories were:
- Damage - how bad would an attack be?
- Reproducibility - how easy it is to reproduce the attack?
- Exploitability - how much work is it to launch the attack?
- Affected users - how many people will be impacted?
- Discoverability - how easy it is to discover the threat?
The DREAD name comes from the initials of the five categories listed.
The spread over a network of threats can led to dangerous situations. In military and civil fields, threat level as been defined: for example INFOCOM
Information Operations Condition
-Descriptions of INFOCONs:INFOCON is a threat level system in the United States similar to that of FPCON...
is a threat level used by USA. Leading antivirus software
Antivirus software
Antivirus or anti-virus software is used to prevent, detect, and remove malware, including but not limited to computer viruses, computer worm, trojan horses, spyware and adware...
vendors publish global threat level on their websites
Threat Agents
Threat Agents
- Individuals within a threat population; Practically anyone and anything can, under the right circumstances, be a threat agent – the well-intentioned, but inept, computer operator who trashes a daily batch job by typing the wrong command, the regulator performing an audit, or the squirrel that chews through a data cable.
Threat agents can take one or more of the following actions against an asset:
- Access – simple unauthorized access
- Misuse – unauthorized use of assets (e.g., identity theft, setting up a porn distribution service on a compromised server, etc.)
- Disclose – the threat agent illicitly discloses sensitive information
- Modify – unauthorized changes to an asset
- Deny access – includes destruction, theft of a non-data asset, etc.
It’s important to recognize that each of these actions affects different assets differently, which drives the degree and
nature of loss. For example, the potential for productivity loss resulting from a destroyed or stolen asset depends upon
how critical that asset is to the organization’s productivity. If a critical asset is simply illicitly accessed, there is no direct
productivity loss. Similarly, the destruction of a highly sensitive asset that doesn’t play a critical role in productivity won’t
directly result in a significant productivity loss. Yet that same asset, if disclosed, can result in significant loss of
competitive advantage or reputation, and generate legal costs. The point is that it’s the combination of the asset and
type of action against the asset that determines the fundamental nature and degree of loss.
Which action(s) a threat agent takes will be driven primarily by that agent’s motive (e.g., financial gain, revenge,
recreation, etc.) and the nature of the asset. For example, a threat agent bent on financial gain is less likely to destroy a
critical server than they are to steal an easily pawned asset like a laptop.
It is important to separate the concept of the event that a threat agent get in contact with the asset (even virtually, i.e. through the network) and the event that a threat agent act against the asset.
OWASP
OWASP
The Open Web Application Security Project is an open-source application security project. The OWASP community includes corporations, educational organizations, and individuals from around the world. This community works to create freely-available articles, methodologies, documentation, tools, and...
collects a list of potential threat agents in order to prevent system designers and programmers insert vulnerabilities in the software.
The term Threat Agent is used to indicate an individual or group that can manifest a threat. It is fundamental to identify who would want to exploit the assets of a company, and how they might use them against the company.
Threat Agent = Capabilities + Intentions + Past Activities
These individuals and groups can be classified as follows:
- Non-Target Specific: Non-Target Specific Threat Agents are computer viruses, worms, trojans and logic bombs.
- Employees: Staff, contractors, operational/maintenance personnel, or security guards who are annoyed with the company.
- Organized Crime and Criminals: Criminals target information that is of value to them, such as bank accounts, credit cards or intellectual property that can be converted into money. Criminals will often make use of insiders to help them.
- Corporations: Corporations are engaged in offensive information warfare or competitive intelligence. Partners and competitors come under this category.
- Human, Unintentional: Accidents, carelessness.
- Human, Intentional: Insider, outsider.
- Natural: Flood, fire, lightning, meteor, earthquakes.
Threat Communities
Threat Communities
- Subsets of the overall threat agent population that share key characteristics. The notion of threat communities is a powerful tool for understanding who and what we’re up against as we try to manage risk. For example, the probability that an organization would be subject to an attack from the terrorist threat community would depend in large part on the characteristics of your organization relative to the motives, intents, and capabilities of the terrorists. Is the organization closely affiliated with ideology that conflicts with known, active terrorist groups? Does the organization represent a high profile, high impact target? Is the organization a soft target? How does the organization compare with other potential targets? If the organization were to come under attack, what components of the organization would be likely targets? For example, how likely is it that terrorists would target the company information or systems?
- The following threat communities are examples of the human malicious threat landscape many organizations face:
- Internal
- Employees
- Contractors (and vendors)
- Partners
- External
- Cyber-criminals (professional hackers)
- Spies
- Non-professional hackers
- Activists
- Nation-state intelligence services (e.g., counterparts to the CIA, etc.)
- Malware (virus/worm/etc.) authors
- Internal
Threat action
Threat action is an assault on system security.
A complete security architectureSecurity ArchitectureSecurity provided by IT Systems can be defined as the IT system’s ability to be able to protect confidentiality and integrity of processed data, as well as to be able to provide availability of the system and data....
deals with both intentional acts (i.e. attacks) and accidental events.
Various kinds of threat actions are defined as subentries under "threat consequence".
Threat analysis
Threat analysis is the analysis of the probability of occurrences and consequences of damaging actions to a system. It is the basis of risk analysis.
Threat consequenceThreat consequence is a security violation that results from a threat action.
Includes disclosure, deception, disruption, and usurpation.
The following subentries describe four kinds of threat consequences, and also list and describe the kinds of threat actions that cause each consequence.
Threat actions that are accidental events are marked by "*".
"(Unauthorized) Disclosure
Disclosure
Disclosure may refer to:Philosophy*World disclosure, a term referring to the way that humans make sense of the world*Reflective disclosure, a term coined by philosopher Nikolas KompridisComputers...
" (a threat consequence)
- A circumstance or event whereby an entity gains access to data for which the entity is not authorized. (See: data confidentiality.). The following threat actions can cause unauthorized disclosure:
- "ExposureExposure-Entertainment:* Exposure , the practice of revealing the secrets of magic to non-magicians* Exposure , a short film anthology series on Sci-Fi Channel from 2000–2002* Exposure , a current affairs strand on ITV in 2011...
":
- A threat action whereby sensitive data is directly released to an unauthorized entity. This includes:
- "Deliberate Exposure":
- Intentional release of sensitive data to an unauthorized entity.
- "Scavenging":
- Searching through data residue in a system to gain unauthorized knowledge of sensitive data.
- * "Human error":
- Human action or inaction that unintentionally results in an entity gaining unauthorized knowledge of sensitive data.
- * "Hardware/software error":
- System failure that results in an entity gaining unauthorized knowledge of sensitive data.
- "InterceptionInterception (disambiguation)Interception may refer to:*Interception , the catching of a pass by a player on the opposing team*Interception , the interception of precipitation by vegetation*Military Signals intelligence...
":
- A threat action whereby an unauthorized entity directly accesses sensitive data travelling between authorized sources and destinations. This includes:
- "TheftData theftData theft is a growing problem primarily perpetrated by office workers with access to technology such as desktop computers and hand-held devices capable of storing digital information such as USB flash drives, iPods and even digital cameras...
": Gaining access to sensitive data by stealing a shipment of a physical medium, such as a magnetic tape or disk, that holds the data. - "Wiretapping (passive)": Monitoring and recording data that is flowing between two points in a communication system. (See: wiretappingTelephone tappingTelephone tapping is the monitoring of telephone and Internet conversations by a third party, often by covert means. The wire tap received its name because, historically, the monitoring connection was an actual electrical tap on the telephone line...
.) - "Emanations analysis": Gaining direct knowledge of communicated data by monitoring and resolving a signal that is emitted by a system and that contains the data but is not intended to communicate the data. (See: emanation.)
- "Theft
- "InferenceInferenceInference is the act or process of deriving logical conclusions from premises known or assumed to be true. The conclusion drawn is also called an idiomatic. The laws of valid inference are studied in the field of logic.Human inference Inference is the act or process of deriving logical conclusions...
": A threat action whereby an unauthorized entity indirectly accesses sensitive data (but not necessarily the data contained in the communication) by reasoning from characteristics or byproducts of communications. This includes:
-
- "Traffic analysisTraffic analysisTraffic analysis is the process of intercepting and examining messages in order to deduce information from patterns in communication. It can be performed even when the messages are encrypted and cannot be decrypted. In general, the greater the number of messages observed, or even intercepted and...
": Gaining knowledge of data by observing the characteristics of communications that carry the data. - "Signals analysis": Gaining indirect knowledge of communicated data by monitoring and analyzing a signal that is emitted by a system and that contains the data but is not intended to communicate the data. (See: emanation.)
- "Traffic analysis
- "IntrusionIntrusive (disambiguation)Intrusive may refer to:* a geological intrusion of molten magma leaving behind igneous rock* the British linking R also known as the intrusive R* physical trespass by an intruder...
": A threat action whereby an unauthorized entity gains access to sensitive data by circumventing a system's security protections. This includes:
-
- "TrespassTrespass (disambiguation)Trespass is the legal term for a direct violation of another person's property .Trespass may also refer to:*Trespass , a 1970 album by English rock band Genesis*Trespass , a British band...
": Gaining unauthorized physical access to sensitive data by circumventing a system's protections. - "PenetrationPenetration (telecommunications)In telecommunication, the term penetration has the following meanings:# The passage through a partition or wall of an equipment or enclosure by a wire, cable, or other electrically conductive object....
": Gaining unauthorized logical access to sensitive data by circumventing a system's protections. - "Reverse engineeringReverse engineeringReverse engineering is the process of discovering the technological principles of a device, object, or system through analysis of its structure, function, and operation...
": Acquiring sensitive data by disassembling and analyzing the design of a system component. - "CryptanalysisCryptanalysisCryptanalysis is the study of methods for obtaining the meaning of encrypted information, without access to the secret information that is normally required to do so. Typically, this involves knowing how the system works and finding a secret key...
": Transforming encrypted data into plain text without having prior knowledge of encryption parameters or processes.
- "Trespass
- "Exposure
"Deception
Deception
Deception, beguilement, deceit, bluff, mystification, bad faith, and subterfuge are acts to propagate beliefs that are not true, or not the whole truth . Deception can involve dissimulation, propaganda, and sleight of hand. It can employ distraction, camouflage or concealment...
" (a threat consequence):
- A circumstance or event that may result in an authorized entity receiving false data and believing it to be true. The following threat actions can cause deception:
- "Masquerade": A threat action whereby an unauthorized entity gains access to a system or performs a malicious act by posing as an authorized entity.
-
- "SpoofSpoofing attackIn the context of network security, a spoofing attack is a situation in which one person or program successfully masquerades as another by falsifying data and thereby gaining an illegitimate advantage.- Spoofing and TCP/IP :...
": Attempt by an unauthorized entity to gain access to a system by posing as an authorized user. - "Malicious logicMalwareMalware, short for malicious software, consists of programming that is designed to disrupt or deny operation, gather information that leads to loss of privacy or exploitation, or gain unauthorized access to system resources, or that otherwise exhibits abusive behavior...
": In context of masquerade, any hardware, firmware, or software (e.g., Trojan horse) that appears to perform a useful or desirable function, but actually gains unauthorized access to system resources or tricks a user into executing other malicious logic.
- "Spoof
- "Falsification": A threat action whereby false data deceives an authorized entity. (See: active wiretapping.)
-
- "SubstitutionSubstitutionSubstitution may refer to:- Sciences :* Substitution , a syntactic transformation on strings of symbols of a formal language* Substitution of variables* Substitution cipher, a method of encryption...
": Altering or replacing valid data with false data that serves to deceive an authorized entity. - "InsertionInsertionInsertion may refer to:*Insertion , the point of a tendon or ligament onto the skeleton or other part of the body*Insertion , the addition of DNA into a genetic sequence*Insertion loss, in electronics...
": Introducing false data that serves to deceive an authorized entity.
- "Substitution
- "RepudiationNon-repudiationNon-repudiation refers to a state of affairs where the purported maker of a statement will not be able to successfully challenge the validity of the statement or contract. The term is often seen in a legal setting wherein the authenticity of a signature is being challenged...
": A threat action whereby an entity deceives another by falsely denying responsibility for an act.
-
- "False denial of origin": Action whereby the originator of data denies responsibility for its generation.
- . "False denial of receipt": Action whereby the recipient of data denies receiving and possessing the data.
"Disruption
Disruption
Disruption is the interruption of normal work or practice.*In Scotland, the Disruption of 1843 refers to the divergence from the Church of Scotland of the Free Church of Scotland...
" (a threat consequence):
- A circumstance or event that interrupts or prevents the correct operation of system services and functions. (See: denial of service.) The following threat actions can cause disruption:
- "Incapacitation": A threat action that prevents or interrupts system operation by disabling a system component.
-
- "Malicious logicMalwareMalware, short for malicious software, consists of programming that is designed to disrupt or deny operation, gather information that leads to loss of privacy or exploitation, or gain unauthorized access to system resources, or that otherwise exhibits abusive behavior...
": In context of incapacitation, any hardware, firmware, or software (e.g., logic bomb) intentionally introduced into a system to destroy system functions or resources. - "Physical destruction": Deliberate destruction of a system component to interrupt or prevent system operation.
- * "Human error": Action or inaction that unintentionally disables a system component.
- * "Hardware or software error": Error that causes failure of a system component and leads to disruption of system operation.
- * "Natural disaster": Any "act of God" (e.g., fire, flood, earthquake, lightning, or wind) that disables a system component.
- "Malicious logic
- "CorruptionData corruptionData corruption refers to errors in computer data that occur during writing, reading, storage, transmission, or processing, which introduce unintended changes to the original data...
": A threat action that undesirably alters system operation by adversely modifying system functions or data.
-
- "TamperTamperTamper can mean:*Tamp, a device used to compact or flatten an aggregate or other powdered or granular material, like ground coffee or gravel*A tool used to pack tobacco into a smoking pipe, as well as to flatten or scoop the ash; usually nail-shaped and sometimes combined into a pipe tool*Ballast...
": In context of corruption, deliberate alteration of a system's logic, data, or control information to interrupt or prevent correct operation of system functions. - "Malicious logicMalwareMalware, short for malicious software, consists of programming that is designed to disrupt or deny operation, gather information that leads to loss of privacy or exploitation, or gain unauthorized access to system resources, or that otherwise exhibits abusive behavior...
": In context of corruption, any hardware, firmware, or software (e.g., a computer virus) intentionally introduced into a system to modify system functions or data. - * "Human error": Human action or inaction that unintentionally results in the alteration of system functions or data.
- * "Hardware or software error": Error that results in the alteration of system functions or data.
- * "Natural disasterNatural disasterA natural disaster is the effect of a natural hazard . It leads to financial, environmental or human losses...
": Any "act of God" (e.g., power surge caused by lightning) that alters system functions or data.
- "Tamper
- "ObstructionObstructionObstruction may refer to:* Obstruction theory, in mathematics* Obstruction of justice, the crime of interfering with law enforcement* Obstructing government administration* Propagation path obstruction** Single Vegetative Obstruction Model-Medical:...
": A threat action that interrupts delivery of system services by hindering system operations.
-
- "InterferenceInterferenceIn physics, interference is a phenomenon in which two waves superpose to form a resultant wave of greater or lower amplitude. Interference usually refers to the interaction of waves that are correlated or coherent with each other, either because they come from the same source or because they have...
": Disruption of system operations by blocking communications or user data or control information. - "OverloadOverload-Bands:* Overload * Overload * Overload -Albums:*Overload *Overload *Overload -Songs:*Overload , a dance song by Voodoo and Serano...
": Hindrance of system operation by placing excess burden on the performance capabilities of a system component. (See: floodingFlood (disambiguation)A flood is an overflow or accumulation of an expanse of water that submerges land.Flood, The Flood, Flooded or Flooding may also refer to:-Computing:* Network flood, a denial-of-service attack on a network...
.)
- "Interference
"Usurpation" (a threat consequence):
- A circumstance or event that results in control of system services or functions by an unauthorized entity. The following threat actions can cause usurpation:
- "MisappropriationMisappropriationIn law, misappropriation is the intentional, illegal use of the property or funds of another person for one's own use or other unauthorized purpose, particularly by a public official, a trustee of a trust, an executor or administrator of a dead person's estate or by any person with a responsibility...
": A threat action whereby an entity assumes unauthorized logical or physical control of a system resource.
-
- "Theft of service": Unauthorized use of service by an entity.
- "Theft of functionality": Unauthorized acquisition of actual hardware, software, or firmware of a system component.
- "Theft of data": Unauthorized acquisition and use of data.
- "Misuse": A threat action that causes a system component to perform a function or service that is detrimental to system security.
-
- "TamperTamperTamper can mean:*Tamp, a device used to compact or flatten an aggregate or other powdered or granular material, like ground coffee or gravel*A tool used to pack tobacco into a smoking pipe, as well as to flatten or scoop the ash; usually nail-shaped and sometimes combined into a pipe tool*Ballast...
": In context of misuse, deliberate alteration of a system's logic, data, or control information to cause the system to perform unauthorized functions or services. - "Malicious logicMalwareMalware, short for malicious software, consists of programming that is designed to disrupt or deny operation, gather information that leads to loss of privacy or exploitation, or gain unauthorized access to system resources, or that otherwise exhibits abusive behavior...
": In context of misuse, any hardware, software, or firmware intentionally introduced into a system to perform or control execution of an unauthorized function or service. - "Violation of permissionPermissionPermission, in philosophy, is the attribute of a person whose performance of a specific action, otherwise ethically wrong or dubious, would thereby involve no ethical fault. The term "permission" is more commonly used to refer to consent...
s": Action by an entity that exceeds the entity's system privileges by executing an unauthorized function.
- "Tamper
- "Misappropriation
Threat management
Threats should be managed by operating an ISMS, performing all the IT risk management
IT risk management
The IT risk management is the application of risk management to Information technology context in order to manage IT risk, i.e.:IT risk management can be considered a component of a wider Enterprise risk management system....
activities foreseen by laws, standards and methodologies.
Very large organizations tend to adopt business continuity management plans in order to protect, maintain and recover business-critical processes and systems. Some of these plans foreseen to set up computer security incident response team (CSIRT
CSIRT
Computer Emergency Response Team is a name given to expert groups that handle computer security incidents. Most groups append the abbreviation CERT or CSIRT to their designation where the latter stands for Computer Security Incident Response Team...
) or computer emergency response team (CERT)
There are some kind of verification of the threat management process:
- Information security audit
- Penetration testPenetration testA penetration test, occasionally pentest, is a method of evaluating the security of a computer system or network by simulating an attack from malicious outsiders and malicious insiders...
Most organizations perform a subset of these steps, adopting countermeasures
Countermeasure (computer)
In Computer Security a countermeasure is an action, device, procedure, or technique that reduces a threat, a vulnerability, or an attack by eliminating or preventing it, by minimizing the harm it can cause, or by discovering and reporting it so that corrective action can be taken.The definition is...
based on a non systematic approach: Computer insecurity
Computer insecurity
Computer insecurity refers to the concept that a computer system is always vulnerable to attack, and that this fact creates a constant battle between those looking to improve security, and those looking to circumvent security.-Security and systems design:...
studies the battlefield of computer security exploits and defences that results.
Information security
Information security
Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction....
awareness generates quite a large business: (see the :category:Computer security companies).
Countermeasures may include tools such as firewalls
Firewall (computing)
A firewall is a device or set of devices designed to permit or deny network transmissions based upon a set of rules and is frequently used to protect networks from unauthorized access while permitting legitimate communications to pass....
, intrusion detection system and anti-virus software, Physical Security
Physical security
Physical security describes measures that are designed to deny access to unauthorized personnel from physically accessing a building, facility, resource, or stored information; and guidance on how to design structures to resist potentially hostile acts...
measures, policies and procedures such as regular backups and configuration hardening, training such as security awareness education.
A lot of software has been developed to deal with IT threats:
- Open source software
- see the category :category:free security software
- Proprietary
- see the category :category:computer security software companies for a partial list
Threat literature
Well respected authors have published books on threats or computer security (see :category:computer security books: Hacking: The Art of Exploitation Second EditionHacking: The Art of Exploitation Second Edition-Author and background information:This book is written by Jon Erickson and was published in 2008. Jon Erickson is a computer security expert, with a background in computer science. He currently works as a vulnerability researcher and computer security specialist in California. He also wrote...
is a good example.
See also - AttackAttack (computer)In computer and computer networks an attack is any attempt to destroy, expose, alter, disable, steal or gain unauthorized access to or make unauthorized use of an asset.- IETF :Internet Engineering Task Force defines attack in RFC 2828 as:...
- Computer emergency response team
- Computer insecurityComputer insecurityComputer insecurity refers to the concept that a computer system is always vulnerable to attack, and that this fact creates a constant battle between those looking to improve security, and those looking to circumvent security.-Security and systems design:...
- Computer securityComputer securityComputer security is a branch of computer technology known as information security as applied to computers and networks. The objective of computer security includes protection of information and property from theft, corruption, or natural disaster, while allowing the information and property to...
- Countermeasure (computer)Countermeasure (computer)In Computer Security a countermeasure is an action, device, procedure, or technique that reduces a threat, a vulnerability, or an attack by eliminating or preventing it, by minimizing the harm it can cause, or by discovering and reporting it so that corrective action can be taken.The definition is...
- ENISA
- Exploit (computer security)Exploit (computer security)An exploit is a piece of software, a chunk of data, or sequence of commands that takes advantage of a bug, glitch or vulnerability in order to cause unintended or unanticipated behavior to occur on computer software, hardware, or something electronic...
- Factor Analysis of Information RiskFactor Analysis of Information RiskFactor analysis of information risk is a taxonomy of the factors that contribute to risk and how they affect each other. It is primarily concerned with establishing accurate probabilities for the frequency and magnitude of loss events...
- Hacking: The Art of Exploitation Second EditionHacking: The Art of Exploitation Second Edition-Author and background information:This book is written by Jon Erickson and was published in 2008. Jon Erickson is a computer security expert, with a background in computer science. He currently works as a vulnerability researcher and computer security specialist in California. He also wrote...
- IETF
- Information technology security audit
- Information SecurityInformation securityInformation security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction....
- Intrusion detection system
- ISMS
- IT riskIT riskInformation technology risk, or IT risk, IT-related risk, is a risk related to information technology. This relatively new term due to an increasing awareness that information security is simply one facet of a multitude of risks that are relevant to IT and the real world processes it...
- National Information Assurance GlossaryNational Information Assurance GlossaryCommittee on National Security Systems Instruction No. 4009, National Information Assurance Glossary, published by the United States federal government, is an unclassified glossary of Information security terms intended to provide a common vocabulary for discussing Information Assurance...
- National Information Assurance Training and Education CenterNational Information Assurance Training and Education CenterThe National Information Assurance Training and Education Center is an American consortium of academic, industry, and government organizations to improve the literacy, awareness, training and education standards in Information Assurance...
- NIST
- OWASPOWASPThe Open Web Application Security Project is an open-source application security project. The OWASP community includes corporations, educational organizations, and individuals from around the world. This community works to create freely-available articles, methodologies, documentation, tools, and...
- Penetration testPenetration testA penetration test, occasionally pentest, is a method of evaluating the security of a computer system or network by simulating an attack from malicious outsiders and malicious insiders...
- Physical SecurityPhysical securityPhysical security describes measures that are designed to deny access to unauthorized personnel from physically accessing a building, facility, resource, or stored information; and guidance on how to design structures to resist potentially hostile acts...
- Risk factorRisk factor (computing)In Information security, Risk factor is a collectively name for circumstances affecting the likelihood or the impact of a security risk.- FAIR :...
- Security architectureSecurity ArchitectureSecurity provided by IT Systems can be defined as the IT system’s ability to be able to protect confidentiality and integrity of processed data, as well as to be able to provide availability of the system and data....
- Security controlSecurity controlsSecurity controls are safeguards or countermeasures to avoid, counteract or minimize security risks.To help review or design security controls, they can be classified by several criteria, for example according to the time that they act, relative to a security incident:*Before the event, preventive...
- Security service (telecommunication)Security service (telecommunication)Security service is a service, provided by a layer of communicating open systems, which ensures adequate security of the systems or of data transfers as defined by ITU-T X.800 Recommendation....
- The Open GroupThe Open GroupThe Open Group is a vendor and technology-neutral industry consortium, currently with over three hundred member organizations. It was formed in 1996 when X/Open merged with the Open Software Foundation...
- VulnerabilityVulnerability (computing)In computer security, a vulnerability is a weakness which allows an attacker to reduce a system's information assurance.Vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw...
- Vulnerability managementVulnerability management"Vulnerability management is the cyclical practice of identifying, classifying, remediating, and mitigating vulnerabilities" This practice generally refers to software vulnerabilities in computing systems.- Vulnerability Management Programs :...
External links