1. Knowing who and what the most common and likely threats and threat agents to important data are.
2. Identifying what kind of data might be compromised by each likely threat.
The first section was about us, and how digital information affects each of us. This section is about THEM, either those who, by either deliberate design or by happenstance, gain unauthorized access to or compromise digital assets, or acts of God make it unavailable. They are the THREAT AGENT. When an asset is physically separated from a threat it is secure from that threat. Security will exist when 1) assets are physically away from a threat or 2) when the threat is eliminated or destroyed (ISECOM Home Security Vacation Guide)
Securing Government Systems is a good summary of the current state of government IT systems, covers the need for SCAP, Cyberscope, and discusses if securing systems or data is the way to go in the future.
Why People Steal- There are only two ways to steal something; take what is not expressly given to you, or have someone else take it and give it to you (http://isecom.org OSSTMM, home of “The Bad People Project”). People steal for a variety of reasons:
- Narcisstic tendencies (selfish disregard of others)
- Too proud to beg
- Justice (misguided or otherwise)
Criminal threats –
- Organized Crime – As of late 2010, organized crime surpassed drug trafficking as the greatest criminal threat to the average American, by the amount of money stolen. An increasing criminal threat, besides identity theft, is the ACH (Automated Clearing House) fraud which involves online check handling and credit cards. Eastern European criminals are targeting small to mid sized businesses with emails containing malicious web links. When the small business owner or financial officer goes to the website, malicious software is installed on the business’ computer and sends financial account login and passwords back to the crook. For personal indivdual accounts, we have 30 days to check for errors and tell the bank. For businesses, they have 24 hours from when the transaction is posted to notify the bank of errors. How many business on Saturday check the validity of banking transactions made at 5pm on Friday? With valid credentials and passwords, criminals can drain the bank accounts of businesses, transferring less than $10,000 per transaction in order not to raise federal alerts. Even if they can prove they didn’t make the transaction, after 24 hours the bank is no longer responsible. Brian Krebs, a former reporter for the Washington Post has done a superb job in uncovering and publicizing this type of scam, bankrupting small businesses, churches, non-profit organizations, city and county governments (any organization with $50,000 and up in their bank accounts). His website has suggestions on steps to take to prevent it. http://krebsonsecurity.com/category/smallbizvictims/.
- Child Pornography – possession of inapproprate images of underage children is a felony with mandatory jail time. It doesn’t matter if the images are on a cell phone, USB drive, on paper, or on a home computer. Anyone, regardless of age, who is in possession of inappropriate underage images (even of their own) is committing a felony.
- Thieves – online fraud – take money for products or services that never arrive
- Cyber Bullying – because of the newness and speed of evolution of technology, the greatest non-criminal threat is to our children. Adults, in the quickly evolving digital age, do not have past experience to know how to protect children from that which is not well understood. Parents and teachers are not teaching these concepts to children because they don’t understand the threat. It is impossible for any ONE person to keep up, let alone for a bureaucracy, like a school system, to create and disseminate accurate information on these subjects.
- Loss of Service – malware (malicious software) may not be a legal issue but it can affect the data on a computer by preventing access to files, photos, documents, Internet services and be an annoyance and consume time. The FCC deals with resolving informal complaints with telecommunication companies after working with them directly fails.
- Spam — the FCC deals with unwanted communication whether through email, telephone or postal mail
Business threats – organized crime is a threat to business, as are:
- Competitors – they may not steal legally protected information but loss of supplier, customer or other lists could cause a business serious harm.
- Insiders (disgruntled and or careless) Generally, people with the greatest access to organizational data are the biggest threat to it. The threat can be accidental deletion or deliberate compromise. Employees who have access to an organizations files, computers or other information can delete things that would take a lot of company time to restore. Even if the damage isn’t deliberate it can cost an organization time and money to recover. Most data lost in companies is the result of accidental deletion. The person with the most access to information, and who uses it the most often, is the one the most likely to accidentally alter or delete it.
- Industrial espionage — as mentioned in section I. Info, corporate, engineering and scientific secrets are and have been for years, methodically mined by foreign corporations and governments on a scale simply not within our awareness.
Political Threats —
- Advanced Persistent Threat (APT) – this is the newest “buzz word” for good, old fashioned spying. It refers to espionage by well funded and staffed governments (and was originally coined to describe China in politically correct terms) who deliberately, over several years, quietly and unobtrusively probed Internet addresses of other governments and important businesses. The purpose is to identify industrial and government networks, infiltrate them and examine the internal network structure. They map out where valuable computer accounts, servers and files may be. Files may then be transferred to the foreign government for translation or use at their leisure. Foreign governments are targeting key people in organizations, installing malware and patiently (over months) collecting information on VPN credentials, databases of sensitive data or human resources (HR) information accessed. They only collect the data and do the exploration when that person is logged in so it looks like the activities of a legitimate employee. Here is an article 5/31/11 on the Pentagon’s development of cyber-weapons and tools for computer warfare. Another very likely APT attack on defense systems.
- What was Stuxnet and why was it so revolutionary?
Home Threats –
- Family and Friends — As in business, the greatest threat to information and services on a home computer is the person who uses it the most. Home computers are often not backed up, have multiple users, do not have a firewall like businesses do. Nor do they have automatic updates applied by a dedicated computer staff. ISECOM has developed a home security “vacation guide” which both physically helps secure a home. It is also is an excellent primer on separating threats from assets, a concept that needs to be used in IT security. This website is for home and small businesses that don’t know simple efficient ways to protect computers. Under IX. Plan are the top things to do to protect yourself, family, friends and business on the cyber frontier of the Internet.
- Peer Pressure — not only children, but adults may feel pressure to reveal passwords, share accounts, participate in destructive behavior online. Children need to be told that passwords are never to be shared with anyone but mom and dad (or whomever the legal guardian is). Siblings, other relatives or friends may exert pressure to reveal private information. It’s always good to think and prepare in advance about how to decline to answer without hurting the feelings of others in a social circle or the family.
Weather and Acts of God —
- Weather — Hurricanes, floods, tornados, earthquakes, tsunamis, or fire can just as efficiently wipe out digital information as carelessness and crooks can. With malicious intent lacking, the swiftest recovery plan is multiple (and tested) backups stored in divergent locations.
- Time –– Almost all media degrade over time. Many people back up files but Compact Disks and Digital Video Disks only last from 2-5 years if stored standing on edge in a cool dark place. Professionally mastered media can last a little longer. (ComputerWorld).
Information security, InfoSec, information technology security, cybersecurity, information assurance, information validation and verification, are all terms used to describe the processes of protecting data and information from any threat agents, whether human or event, that could remove, change or view it without appropriate authorization.
For amusement (not an endorsement of this vendor), here are links to one vendors vision of threats:
- Dokken-fried chicken http://www.youtube.com/watch?v=UNanKfY5T9A&feature=related
- Kimbo-catepillar http://www.youtube.com/watch?v=OXFNUBoUjz4&feature=related
- Hasselhof-fan http://www.youtube.com/watch?v=98I_-wkBTJ4
- Lundgren- unicorn http://www.youtube.com/watch?v=G6ryQ8N_Lv0&feature=related