Isys20261 lecture 03
Download as PPT, PDF0 likes201 views
This document discusses different types of attackers that threaten computer security: - Opportunists seize opportunities without concern of getting caught. Emotional attackers seek revenge or fun and accept high risks. Cold intellectual attackers are professionals who attack for personal gain while minimizing risks. Terrorists and insiders also pose threats. - Insider attackers are particularly concerning as employees are one of the biggest threats, whether malicious or accidental. Insiders are often unwittingly manipulated by outsiders through tricks. Their motivations can include expected personal gains, revenge, or improving their position. - Common insider attacks include leaking information, stealing data or services, tampering with systems, sabotage, and vandalism. Pre
Isys20261 lecture 03
- 1. Computer Security Management (ISYS20261) Lecture 3 – Attackers Module Leader: Dr Xiaoqi Ma School of Science and Technology
- 2. The story so far … • Security requirements: – Confidentiality – Integrity – Availability • Information related assets: – data – software – hardware • Need to be protect assets from harm • Threat: possible source of harm to an asset Computer Security Management Page 2
- 3. Remember definitions? • Harm – Something happens to an asset that we do not want to happen • Threat – Possible source of harm • Attack – Threatening event (instance of a threat) • Attacker – Someone or something that mounts a threat • Vulnerability – Weakness in the system (asset) that makes an attack more likely to successes • Risk – Possibility that a threat will affect the business or organisation Computer Security Management Page 3
- 4. Last week … • Six basic types of harm • A threat is a possible source of harm • A threat exploits vulnerabilities in a system • We need to satisfy our information security requirements • Need to put controls in place to defend ourselves Computer Security Management Page 4
- 5. Defend against whom? • Malicious entity (human or computer program) that tries to compromise information security requirements (CIA) • Might attempt to: – discover secrets, – corrupt data, – spoof the identity of a message sender or receiver, – or force system downtime. • Attacker differ in – Motivation – Ability – Resources – Readiness to assume risk • We need to know what type of attacker we are facing to select effective security measures Computer Security Management Page 5
- 6. Attack sophistication vs. attacker technical Auto Coordinated knowledge Cross site scripting Tools “stealth” / advanced High scanning techniques packet spoofing denial of service Staged sniffers distributed attack tools Intruder sweepers www attacks Knowledge automated probes/scans GUI back doors disabling audits network mgmt. diagnostics hijacking burglaries sessions Attack exploiting known vulnerabilities Sophistication password cracking self-replicating code password guessing Intruders Low 1980 1985 1990 1995 2000 Computer Security Management Page 6
- 7. Types of attackers (A. Sasse, based on Schneier, 2003) • Opportunist • Emotional attacker • Cold intellectual attacker • Terrorist • Insider Computer Security Management Page 7
- 8. Opportunist • Most common type of attacker • Spots and seizes an opportunity • Convinced they will not get caught • Highly risk-averse Computer Security Management Page 8
- 9. Emotional attacker • Wants to make a statement • Accepts high level of risk • Motivation: – Revenge – Just for fun – Cries for help Computer Security Management Page 9
- 10. Cold intellectual attacker • Professional who attacks for personal material gain • High skill level • Has resources available • Highly risk-aversive • Might use insiders to carry out attacks Computer Security Management Page 10
- 11. Terrorist • Wants to make a statement or intimidate • Wants to gain visibility • Accepts high risk • Not deterred by sophisticated countermeasures • Might see countermeasures as challenge Computer Security Management Page 11
- 12. Insider • Employees are still one of the biggest threats to corporate IT security both through malicious and accidental actions. • “Statistics show that 70 per cent of fraud is perpetrated by staff rather than by external people or events. We invest up to 90 per cent of our security resources on controls and monitoring against internal threats." (Mitsubishi UFJ Securities International, 2008) • Insider are often tricked into the attack by a third party, e.g. through social engineering Computer Security Management Page 12
- 13. Insider (2) • Unwitting pawn for another insider or outsider • Insider intents to perpetrate or facilitate the attack, alone or in collusion with other parties, e.g. – Forced to carry out the attack, e.g. through blackmail, hostage – Groomed to carry out the attack, e.g. lonely person befriended by somebody they will now do anything for – Motivated by expected personal gain Computer Security Management Page 13
- 14. Insider attackers • Age 18-59 • 42% female • Variety of positions – 31% service – 23% admin – 19% professional – 23% technical • 17% have sysadmin/root access • 15% regarded as difficult to manage • 19% perceived by others as disgruntled employees • 27% had come to attention of a supervisor and/or co-worker prior to the incident • 27% had prior arrests Computer Security Management Page 14
- 15. Types of insider attacks • Leaking of information: – insider copies information and using it for own purpose • Data or service theft: – Removal of data or software • Tampering with data or system – Changing data or software in the system or tampering with procedures • Sabotage – Changing data or software in the system so that the system does not work properly (might not be immediately apparent) • Vandalism – Immediately visible and usually aimed to stop the system from working Computer Security Management Page 15
- 16. Precursors of insider attacks • Deliberate markers – To make a statement • Meaningful errors – Attacker makes error whilst trying to cover their tracks by deleting logfiles • Preparatory behaviour – Collecting information, testing countermeasures, checking permissions • Correlated usage pattern – might reveal a systematic attempt to collect information • Verbal behaviour – E.g. hints to friends, threats, unhappiness with the organisation … • Personality traits – Introversion, loners … Computer Security Management Page 16
- 17. Motivation • Material gain • Revenge • Improve position within the organisation • Improve esteem in the eyes of others • Thrill-seeking Computer Security Management Page 17
- 18. Means of attacks • In 87% of the cases: insider employed simple, legitimate user commands to carry out attack • In 78% of the cases: authorised users • In 43% of the cases: attacker used their own username and password! • 26% used someone else’s account (unattended terminal with open user account or social engineering) • 70% exploited vulnerabilities in systems and/or procedures • 39% were unaware of organisation’s technical security measure! Computer Security Management Page 18