Concept of threats and threat environment


Published on

A paper Discussing Security Threats, and how to mitigate against it.

Published in: Technology, News & Politics
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Concept of threats and threat environment

  1. 1. The Threat Environment, Hacking and Preventing Attacks 2013 NAME: UYOYO EDOSIO MSC | Information Technology Management
  3. 3. 2 | P a g e 2 1 INTRODUCTION With the advent of the ingenious technology called the “internet”, human beings have created a whole new global community. In this community there is: easier communication, without geographic limitations; real time data exchange for decision making and; easy access to unlimited information(Harvey & Novicevic, 2006). However, there are malicious members of this community (such as: hackers, disgruntled staff, social engineers), who threaten other members of the community(Loch & Carr, 1991)(Hasan & Prajapati, 2009) through their nefarious activities. Their major aim is to breach confidentiality of the information passed across networks, alter the integrity of information to suit their unethical intentions and disrupt the availability of data to legitimate users. In 2010, 40% of all the major security breaches were perpetrated by hackers(Symantec Corporation, 2013). These malicious members attack using different mediums; such as:worm’s, virus and Trojans, DoS, Fake websites(McGraw & Morrisett, 2000). Every computer, mobile phone or electronic gadget connected to the internet is exposed to this form of attacks. In 2004, a honey pot experiment carried out by Roger Grimes revealed that there is a fifty percent probability of an unprotected computer to be attacked within 32 minutes of gaining internet access(O'Kane, et al., 2011). It is therefore important for Individuals, countries and government to protect their information systems as the number of attacks are not only increasing on a daily basis, but also the impact is becoming graver. Aim of Report The aim of this report is to explain the concept of threats, enlighten readers on the activities of hackers, and how to protect information technology asset from attacks. Figure 1: Major Causes of Security Breaches (Symantec Corporation, 2013)
  4. 4. 3 | P a g e 3 2 THREAT ENVIRONMENT 2.1 CONCEPT OF THREAT Due to the ubiquitous nature of the internet, threats have no limitations. Individuals, organizations and nations are constantly under attack(Richardson, 2011). In fact the internet has created a platform where attacks can be conveniently perpetrated without physical presences of an attacker. Before one can attempt to fight threat one must understand what threats are and the types of threats one could possibly face. A threat is an attempt to circumvent the security of a network(Bishop, 2005). It can also be referred to as a probable attack on weak points of data security system. According to (Sumner, 2009), threats are risk, they have a likelihood of occurring. Like every other risk, it requires assessments and mitigation strategies. Of these two definitions (Sumner, 2009), gives a more holistic definition of threat taking into consideration the uncertainty of threats and also the need to mitigate threats to reduce their impact. 2.2 TYPES OF THREAT Threats are come in different forms ranging from national, economic and threats to individual’s personal information assets. Personal threat: Threats can be inform of Adwares, password sniffers this malwares are used to gain unauthorized access into a victims profile, emails, or credit cards and perform unauthorized transaction (Hasan & Prajapati, 2009); National security threats: National Security threats involve the use of malwares (such as Hoaxware, Risk ware) to cause political unrest amongst nations. (Hasan & Prajapati, 2009); The table illustrates possible forms of threats and the possible perpetrators: Source/Perpetrator Human threats Nonhuman Threats Internal Threats  Loyal Employees  Disgruntled Employees  Wrong Data Input  Unauthorized data modification  Power Surge  Program Bug External Threats  Competitors, Nations  Phishing Attacks, terrorist  Hackers, Social Engineers  Script kiddies  Fire  Flood, storms  Earthquake  Viruses, malware Table 1: Broad Categorization of Threats based on Source and Perpetrator:
  5. 5. 4 | P a g e 4 2.3 DISCUSSION: WHAT IS THE MOST DANGEROUS THREAT?  According to the (Richardson, 2011) malicious insiders are responsible for less than or equals to 50 percent of financial losses to an organization. He also stated the most common threats are Malware attacks, however they are not the most financially impacting  On the contrary (Andress & Winterfeld, 2011) suggest that malicious insider’s threats represent the second largest financial loss. While Advance Persuasion Threat (APT)/ National threats are the most costly threats. As national secrets worth a huge sum of money are been exploited, through APT. Countries like China and Russia literally have government funding on some APT attacks(Andress & Winterfeld, 2011).  Some authors state that insider’s threats amongst others are the very dangerous because they are very hard to detect(Spitzner, 2003). It appears that although insider attacks have higher likelihood of occurrence, but the most dangerous and impactful is the APT, which could lead to National states of emergency. Figure 2: This is an illustration of the types of threats, the threats are numbered form 1-5; where 1 equals most dangerous threat and 5 equals least dangerous threat [based on (Andress & Winterfeld, 2011)] 1) APT is the most financial impacting threat, usually the impact cost billions to nations 2) Insiders Threats: disgruntled and greedy employees who want to take advantage of known company secretes 3) Environmental threat :they uncontrollable and hence are the third most dangerous 4) Hackers: black hat hackers/ crackers are very common however they are not the most impactful financial attack 5) Script Kiddies are the least impactful or dangerous hackers, see section 2.0 for details
  6. 6. 5 | P a g e 5 3 HACKERS In this section we would study the different types of hackers, motives behind hacking, and how the hackers attack. 3.1 WHAT IS HACKING & WHO ARE HACKERS? According to (Panko, 2004), hacking is a deliberate attempt to gain unauthorized access to data or information. This definition tends to paint hackers as unethical groups of people that exploit information security measures. This definition just describes a particular type of hackers with nefarious intentions called the black hats or crackers. This is the most widely accepted definition of hackers. However, (Taylor, 1999) defines hacking as problem solving medium using unconventional techniques. In fact(Erickson, 2008)defined hacking as an intelligent way of solving problems using innovative approaches such as in-depth programming skills. (Taylor, 1999)(Erickson, 2008)Claim hacking is more of a skill set, which involves very good technical understanding. This definitions suggest that hacking in itself is not wrong, but it is just a tool for solving problems. Hackers have different motives for hacking, sometimes it is for “bragging rights”, in some cases for financial gain, espionage,cyber-war or revenge(Andress & Winterfeld, 2011). Using a combination of Skill sets and motives as a basis, hackers can be grouped into 3 broad categories: Hackers, Script kiddies and crackers(Barber, 2001). 3.2 TYPES OF HACKERS The table below presents an overivew of the different types of hackers, Their motives for atacking, ethics and their different skills. As mentioned earlier, hackers differ from each other based on motives/intentions, skills, ethics. Table 2: Comparative analysis of the different types of Hackers classified based on their motives, Ethics and Skill level Script Kiddies White Hackers Black hackers Grey Hackers Cyber terrorist Skills Level Quite Unskilled. They alter pre- programmed scripts Very skilled programmers Very skilled programmers Good social engineers Very skilled programmers Good technical skills Motives  Bragging Rights  Protection of users from threats  Protect organizations from potential attacks.  Financial Gain  Curiosity  Revenge  Bragging Rights  Fun  Reverse attack against black hats  Political Reasons  Espionage  Financial / economic threat damage
  7. 7. 6 | P a g e 6 Script Kiddies White Hackers Black hackers Grey Hackers Cyber terrorist Ethics  Considered unethical  Ethical  Illegal and Highly unethical  Somewhat ethical  Depends on the laws of the country of the attack. In this section we will defined only four types of hackers, they include: 3.2.1 Script Kiddies Script kiddies as the name implies are teens within the age group of 14-16, who partake in hacking attacks. They do not have deep technical knowledge and skills like the hackers or crackers. Script Kiddies initiate their attack by adapting existing computer scripts or codes created by someone else, to suit their intended attack scenario (Fitzgerald, 2004).Their major motive behind hacking is to achieve bragging rights. Their attacks most popular attack is website defacement (Conry-Murray, 2001). 3.2.2 White Hackers White hat hackers can also be referred to ethical hackers, unlike other hackers their motive is to defend organizations against threats (Graves, 2007). They make use of their skills and expertise to help organizations improve their security controls. Most times, they are professionals intentionallyemployed by companies to assess the vulnerabilities of their systems by carrying out attacks (Shanmugapriya, 2013). Their motive is to proactively protect companies from possible attacks, by simulating the attacks in real time and identifying risk areas (penetration testing). This goes a long way to help organization’s reduce the risk of threat attacks (Caldwell, 2011). Their motives are morally sound. 3.2.3 BLACK HAT HACKER A black hat hacker is one who breaches the security of an information system for selfish and criminal intentions (Wang, 2009). The motives for this kind of hackers are usually for financial gains, revenge or curiosity(Andress & Winterfeld, 2011). Black hat hackers are very proficient in programming and in some instances have good social engineering skills. An example of a black hat hacker can attack an ecommerce database to gain unauthorized access to customer’s credit card details, and use these details to make unauthorized transactions (Shanmugapriya, 2013). 3.2.4 Grey Hats Grey hat hackers can be seen as a mix between the black hat hackers and the white hat hackers(Bansal & Arora, 2012) (Wang, 2009). They sometimes carryout unauthorized attacks but their intentions are criminal or for selfish purposes (Shanmugapriya, 2013). For instances a white hat hacker may discover a loophole in an information system, but instead of reporting a breach to the authorities, he may decide to counter attack the system of the black hat hacker that initiated the attack(Wang, 2009). This act is may not be legally right but it is not totally ethically improper as he is not affecting an innocent victim.
  8. 8. 7 | P a g e 7 3.3 HOW HACKERS ATTACK? There are different ways through which a hacker attacks, the diagram below states some ways hacker’sperpetuate the attack. Figure 3: Types of attacks that could threat an information security assets [Based on (Hasan & Prajapati, 2009)] For the purpose of this material we will describe just four of these attacks, however refer to Appendix 1 for details of these attacks. 3.4 MALWARE ATTACKS A malware is a code that is written to damage the confidentiality, integrity and availability of an information system (Williamson, 2004). A malware seeks to alter existing information without due authorization (Heiser, 2004). Sometimes malware pretend to be legit software, in order instances they attach themselves to documents and sometimes they are “.exe” applications that require installation. According to (Heiser, 2004)Malware infect their host through the following ways:  They can be installed by an ignorant users  They can disguise as an attachment in an email  Theycan be transferred through USB sticks. Types of Attack Malware spyware Phising DOS SpoofingBrute Force Worms Shoulder surfing Social enginnerring
  9. 9. 8 | P a g e 8 3.5 Worms: Worms are malwares, they specially target systems that are connected (McGraw & Morrisett, 2000). They spread independently, by identifying loopholes within the network so as to infect vulnerable systems within the network (Williamson, 2004). An instance of this was in 2007 a Worm called storm worm infected 300,000 systems. The Trojan horse pretended to be an attachment containing information about the European storm (Security Views , 2007). However it secretly created a back door attack, granting the hacker remote access with administrative rights to a victims system (Security Views , 2007) 3.6 VIRUS: This is a malware that attach themselves to other software (usually legitimate), they are activated when the host program is executed by the users (McGraw & Morrisett, 2000). 3.7 TROJANS: Trojan horses are malicious software which pretend to be a trusted software application, however their aim is to damage a computer (OWASP , 2009). For instance a Trojan horse can pretend to be a Microsoft office installation file called “office.exe”. Usually they camouflage in this manner to be unnoticed by the user. 3.8 SOCIAL ENGINEERING ATTACKS It is the act of tricking people to grant unapproved access to an information, or divulge privileged information(Hasan & Prajapati, 2009). It involves playing on the psychological weakness of humans; it does not require deep technical skills unlike other attacks (Hasan & Prajapati, 2009). 4 THREAT PREVENTION MECHANISMS This section highlights different ways and mechanism to prevent threats and malware attacks. 4.1 INTRUSION PREVENTION SYSTEMS (IPS) According to (Endorf, et al., 2004) an IPS is a system that proactively identifies malicious activities and restricts them from occurring. They are usually installed internally within a network. Intrusion Prevention are: Proactive– because they can identify threats and, They are reactive- because they can mitigate the threat (Stiawan, et al., 2010). However one major weakness of IPS is that threats are always evolving and there is constant need to update its policy constantly, as it cannot preempt new attacks. Installation of firewall is a good form of intrusion prevention.
  10. 10. 9 | P a g e 9 4.2 EDUCATION OF USERS AND CONSISTENT AWARENESS Awareness and education of computer users is a medium of protecting against hackers and potential threats (Hasan & Prajapati, 2009)(Atkins & Huang, 2013). For instances, users can be educated on the risk attached with disclosing their passwords, granting unauthorized access to people. Training is one of the most effective ways of preventing social engineering attacks. Trainings should be accompanied with real life scenariosexplaining the behaviors and techniques that the hackers adopt when carrying out their attacks. This is necessary so that the users can now how to act when face with similar scenario (Ashish, 2007). 4.3 ANTIVIRUS, ANTI-SPYWARE These are software that protect computer against malware attack.They are very effective and need to be updated regularly to identify recent malware. They perform routine scan on networks, personal computers in order to identify infected areas of the computer and repair damages caused by the malwares 4.4 AUDIT LOG REVIEW Organizations should carryout system log audit on all staff systems to assess the risk of the activities carried out from the systems of the staff. Sometimes, disgruntled staffs with access may carryout nefarious attacks against the organization. But putting in routine review of the log file of users system can enable an organization catch the perpetrator of the attack easily. 4.5 ACCESS CONTROL (PHYSICAL AND ROLEBASED ACCESS CONTROL): Encryption of Data: This one medium toprotect data passed around networks. For instance sensitive data should be encrypted so that if intercepted by a wiretap or a man in the middle attack theattacker will be unable to decipher the data or make alterations. The encrypted text or data can only be decrypted by a user with the decryption key(Conry-Murray, 2001). 5 DISCUSSION AND CONCLUSION The report above shows that hacking activities could be ethical (white and grey hackers) or unethical (black hackers attack, cyber terrorist). Although, some definitions of hacking describes hacking as a deliberate attempt to gain unauthorized access to data or information. This definition just describes a particular type of hackers with nefarious intentions called the black hats or crackers. This is the most widely accepted definition of hackers.(Panko, 2004) Some authors are of the state that hacking in itself is not unethical, according(Taylor, 1999) defines hacking as problem solving medium using unconventional techniques. In fact (Erickson, 2008) defined hacking as an intelligent way of solving problems using innovative approaches such as in-depth programming skills. (Taylor, 1999)(Erickson, 2008)Claim hacking is more of a skill set, which involves very good technical understanding. This definitions suggest that hacking in itself is not wrong, but it is just a tool for solving problems. The ethics of hacking is defined by the motives, intention and skill set of the hackers.
  11. 11. 10 | P a g e 10 Also, in this report, we have highlighted the different types of attack that can be perpetuated by hackers, which include malware, adware, and social engineering attack. According to the CSI 2010 report, 67 percent of attacks are malware attacks, 39 percent of attacks are perpetuated through social engineering (phishing ) attacks, while (Richardson, 2011) ( see figure 4 for details). The number of these attacks keep raising every year. Organizations, individuals, government agencies are vulnerable to these attacks. Most of these attacks alter the confidentiality, integrity and availability of data. Therefore it is important to protect against this attack. This report identifies various medium to protect oneself from this attack through intrusion prevention, education, antivirus, audit review. However, researchers believe that the most effective way is through education of computer users on the activities of attack(Atkins & Huang, 2013). Individuals should be constantly made aware of attacks, regulatory bodies, government organizations should also be involved in educating users of the nefarious activities of hackers and threats. This will help reduce threats in the cyber community, cub the activities of hackers and reduce financial losses due to attack. Figure 4: Types of Threat Attacks based on (Richardson, 2011)
  12. 12. 11 | P a g e 11 6 REFERENCES Andress, J. & Winterfeld, S., 2011. Threatscape. In: Cyber warfare: techniques, tactics and tools for security practitioners. :Elsevier, pp. 29-33. Ashish, T., 2007. Social engineering: An attack vector most intricate to tackle, : Technical report, Infosecwriters. Bansal, A. & Arora, M., 2012. Ethical Hacking And Social Security. RADIX INTERNATIONAL JOURNAL OF RESERCH IN SOCIAL SCIENCE, 1(11), pp. 1-16. Barber, R., 2001. Hackers profiled—who are they and what are their motivations. Computer Fraud & Security, Volume 2, pp. 14-17. Bishop, M., 2005. Introduction to Computer Security. In: Massachusetts: Pearson Education, p. xxxiii. Bradon, A. & Wilson, H., 2013. A study of Social Engineering in Online Fraud. Scientific Research, pp. 23- 31. Caldwell, T., 2011. Ethical hackers: putting on the white hat, Network Security. Elsevier, 2011(7), pp. 10- 13. Conry-Murray, A., 2001. Network security's not-so-secret ingredients. Network Magazine, 16(8), pp. 68- 73. Endorf, C., Eugene, S. & Jim, M., 2004. Understanding Intrusion Detection . In: Intrusion Detection & Prevention.:McGraw-Hill, New York, p. Chapter 1. Erickson, J., 2008. The Hawks and the Doves. In: Hacking: The art of exploitation.:No Starch Press, pp. vii- x. Fitzgerald, M., 2004. Hackers, Crackers and Script Kiddies, Oh My! ; How to sort the good guys from the bad., p. 1. Graves, K., 2007. Introduction to Ethical Hacking, Ethics and Legality. In: CEH: Official Certified Ethical Hacker Review Guide: Exam 312-50. :Wiley. com, p. 6. Harvey, M. G. & Novicevic, M. M., 2006. The World is Flat: A Perfect Storm for Global Business?. Organizational Dynamics, 35(3), pp. 207-219. Hasan, M. I. & Prajapati, N. B., 2009. An Attack Vector for Deception Through Persuasion Used by Hackers and Crakers. In: Networks and Communications, 2009. NETCOM'09. First International Conference on. :IEEE, pp. 254-258. Heiser, J. G., 2004. Understanding today's malware. Information Security Technical Report, 9(2), pp. 47- 64. Loch, K. D. & Carr, H., 1991. Threats to information system security: an organizational perspective. In: System Sciences, 1991. Proceedings of the Twenty-Fourth Annual Hawaii International Conference on.:IEEE, pp. 551-557.
  13. 13. 12 | P a g e 12 McGraw, G. & Morrisett, G., 2000. Attacking malicious code: A report to the Infosec Research Council. IEEE, 17(5), pp. 33-41. O'Kane, P., Sezer, S. & McLaughlin, K., 2011. Obfuscation: The Hidden Malware. Security & Privacy, IEEE , 9(5), pp. 41-47. OWASP , 2009. Trojan Horse. [Online] Available at: [Accessed 23 11 2013]. Panko, R. R., 2004. Corporate Computer and Network Security. s.l.:Pearson Education Lmited. Richardson, R., 2011. CSI 2010/2011 Computer Crime and Security Survey. Computer Security Institute, Volume 1, pp. 1- 44. Security Views , 2007. Malware. Computers & Security, 26(4), pp. 188-200. Shanmugapriya, R., 2013. A study of network security using penetration testing. In: Information Communication and Embedded Systems (ICICES), 2013 International Conference on. s.l.:s.n., pp. 371-374. Spitzner, L., 2003. Honeypots: Catching the insider threat. In: Computer Security Applications Conference, 2003. Proceedings. 19th Annual. :IEEE, pp. 170-179. Stiawan, D., Abdullah, A. H. & Idris, M. Y., 2010. The Trends of Intrusion Prevention System Network. In: Education Technology and Computer (ICETC), 2010 2nd International Conference on. s.l.:IEEE, pp. V4- 217. Sumner, M., 2009. Information Security Threats: A Comparative Analysis of Impact, Probability, and Preparedness. Information Systems Management, 26(1), pp. 2-12. Symantec Corporation, 2013. Information Security Threat Report, s.l.: Avialable on Taylor, P. A., 1999. Hackers: crime in the digital sublime. :Psychology Press. Wang, J., 2009. Network Security Overview. In: Computer network security: theory and practice. Springer, p. 26. Wilhelm, T., 2009. Why Stay Ethical?. In: Professional penetration testing: Creating and operating a formal hacking lab. :Syngress, pp. 15-16. Williamson, D., 2004. Deconstructing malware: what it is and how to stop it. Information Security Technical Report, 9(2), pp. 27-34.