II. Threats

Rugged is…

1. Knowing  who and what the most common and likely threats and threat agents to important data are.

2. Identifying what kind of data might be compromised by each likely threat.

The first section was about us, and how digital information affects each of us.  This section is about THEM, either  those who, by either  deliberate design or by happenstance, gain unauthorized access to or compromise digital assets,  or acts of God make it unavailable.  They are the THREAT AGENT.  When an asset is physically separated from a threat it is secure from that threat.  Security will exist when 1) assets are physically away from a threat or 2) when the threat is eliminated or destroyed (ISECOM Home Security Vacation Guide)

Securing Government Systems is a good summary of the current state of government IT systems, covers the need for SCAP, Cyberscope, and discusses if securing systems or data is the way to go in the future.

Why People Steal- There are only two ways to steal something; take what is not expressly given to you,  or have someone else take it and give it to you  (http://isecom.org OSSTMM, home  of “The Bad People Project”).  People steal for a variety of reasons:

  • Greed
  • Envy
  • Narcisstic tendencies (selfish disregard of others)
  • Too proud to beg
  • Necessity
  • Justice (misguided or otherwise)

Criminal threats

  • Organized Crime – As of late 2010, organized crime surpassed drug trafficking as the greatest criminal threat to the average American, by the amount of money stolen.  An increasing criminal threat, besides identity theft, is the ACH (Automated Clearing House) fraud which involves online check handling and credit cards.  Eastern European criminals are targeting small to mid sized businesses with emails containing malicious web links.  When the small business owner or financial officer goes to the website, malicious software is installed on the business’ computer and sends financial account login and passwords back to the crook.    For personal indivdual accounts, we have 30 days to check for errors and tell the bank.  For businesses, they have 24 hours from when the transaction is posted to notify the bank of errors.  How many business on Saturday check the validity of banking transactions made at 5pm on Friday? With valid credentials and passwords, criminals can drain the bank accounts of businesses, transferring less than $10,000 per transaction in order not to raise federal alerts.   Even if they can prove they didn’t make the transaction, after 24 hours the bank is no longer responsible.  Brian Krebs, a former reporter for the Washington Post has done a superb job in uncovering and publicizing this type of scam, bankrupting small businesses, churches, non-profit organizations, city and county governments (any organization with $50,000 and up in their bank accounts).  His website has suggestions on steps to take to prevent it.  http://krebsonsecurity.com/category/smallbizvictims/.
  • Child Pornography – possession of inapproprate images of underage children is a felony with mandatory jail time.  It doesn’t matter if the images are on a cell phone, USB drive, on paper, or on a home computer.  Anyone, regardless of age, who is in possession of inappropriate underage images (even of their own) is committing a felony.
  • Thieves – online fraud – take money for products or services that never arrive

Non-criminal threats 

  • Cyber Bullying – because of the newness and speed of evolution of technology, the greatest non-criminal threat is to our children.  Adults, in the quickly evolving digital age,  do not have past experience to know how to protect children  from that which is not well understood.   Parents and teachers are not teaching these concepts to children because they don’t understand the threat.  It is impossible for any ONE person to keep up,  let alone for a bureaucracy, like a school system, to create and disseminate accurate information on these subjects.
  • Loss of Service – malware (malicious software) may not be a legal issue but it can affect the data on a computer by preventing access to files, photos, documents, Internet services and be an annoyance and consume time.  The FCC deals with resolving informal complaints with telecommunication companies after working with them directly fails.
  • Spam — the FCC deals with unwanted communication whether through email, telephone or postal mail

Business threats – organized crime is a threat to business, as are:

  • Competitors – they may not steal legally protected information but loss of supplier, customer or other lists could cause a business serious harm.
  • Insiders (disgruntled and or careless)  Generally, people with the greatest access to organizational data are the biggest threat to it.  The threat can be accidental deletion or deliberate compromise.  Employees who have access to an organizations files, computers or other information can delete things that would take a lot of company time to restore.  Even if the damage isn’t deliberate it can cost an organization time and money to recover.  Most data lost in companies is the result of accidental deletion.  The person with the most access to information, and who uses it the most often, is the one the most likely to accidentally alter or delete it.
  • Industrial espionage — as mentioned in section I. Info, corporate, engineering and scientific secrets are and have been for years, methodically mined by foreign corporations and governments on a scale simply not within our awareness.

Political Threats —

  • Advanced Persistent Threat (APT) – this is the newest “buzz word” for good, old fashioned spying.  It refers to espionage by well funded and staffed governments (and was originally coined to describe China in politically correct terms) who deliberately, over several years, quietly and unobtrusively probed Internet addresses of other governments and important businesses.  The purpose is to identify industrial and government networks, infiltrate them and examine the internal network structure.  They map out where valuable computer accounts, servers and files may be.  Files may then be transferred to the foreign government for translation or use at their leisure.  Foreign governments are targeting key people in organizations, installing malware and patiently (over months) collecting information on VPN credentials, databases of sensitive data or human resources (HR) information accessed.  They only collect the data and do the exploration when that person is logged in so it looks like the activities of a legitimate employee.  Here is an article 5/31/11 on the Pentagon’s development of cyber-weapons and tools for computer warfare.  Another very likely APT attack on defense systems.
  • What was Stuxnet and why was it so revolutionary?

Home Threats

  • Family and Friends — As in business, the greatest threat to information and services on a home computer is the person who uses it the most.  Home computers are often not backed up, have multiple users, do not have a firewall like businesses do.  Nor do they have automatic updates applied by a dedicated computer staff.  ISECOM has developed a home security “vacation guide” which both physically helps secure a home.  It is also is an excellent primer on separating threats from assets, a concept that needs to be used in IT security.    This website is for home and small businesses that don’t know simple efficient ways to protect computers. Under IX. Plan are the top things to do to protect yourself,  family, friends and business on the cyber frontier of the Internet. 
  • Peer Pressure — not only children, but adults may feel pressure to reveal passwords, share accounts, participate in destructive behavior online.  Children need to be told that passwords are never to be shared with anyone but mom and dad (or whomever the legal guardian is).  Siblings, other relatives or friends may exert pressure to reveal private information.  It’s always good to think and prepare in advance about how to decline to answer without hurting the feelings of others in a social circle or the family.

Weather and Acts of God —

  • Weather — Hurricanes, floods, tornados, earthquakes, tsunamis, or fire can just as efficiently wipe out digital information as carelessness and crooks can.  With malicious intent lacking, the swiftest recovery plan is multiple (and tested)  backups stored in divergent locations.
  • Time –– Almost all media degrade over time.   Many people back up files but Compact Disks and Digital Video Disks only last from 2-5 years if stored standing on edge in a cool dark place.  Professionally mastered media can last a little longer.  (ComputerWorld). 

Information security, InfoSec, information technology security, cybersecurity, information assurance, information validation and verification, are all terms used to describe the processes of protecting data and information from any threat agents, whether human or event, that could remove, change or view it without appropriate authorization.

For amusement (not an endorsement of this vendor), here are links to one vendors vision of threats:

75 Responses to II. Threats

  1. Renee Orr says:

    Hadn’t thought about risk to home computer. Useful information.

  2. LT says:

    We can’t protect everything. We can only do what is reasonable.

  3. The video is a real good. The video gives a good example of a type of threat

  4. CH says:

    Video was very useful.

  5. Mark says:

    This is very good information to have on security threats. It’s on the job and at home.

  6. HP says:

    Never heard of APT, but definitely something to worry about. I’m sure many countries are doing this though, not just China.

  7. JPF says:

    Norton videos were entertaining.

  8. Matthew Hinton says:

    I hadn’t considered that I don’t have practical experience to share with my children about how to protect themselves online.

  9. Mr. D says:

    It’s a different world. Everything is “cyber”.

    Want to play a game?

  10. Ryker Abel says:

    Excellent commercials, they make just as much sense as Norton’s products do.

  11. DB says:

    Definitely learned a valuable lesson with Hurricane Katrina. For some reason, I didn’t think of “multiple backups stored in divergent locations”. Huge mistake!!! And obviously lost everything.

    • Some Dude says:

      A backup at home isn’t a backup. I would recommend a backup at home and a second line of defence in a disparate location from your main computing resource.

  12. Jose H says:

    Pretty scary. One little person like me just can’t keep up with what’s out there, nice to see others have thought about that and are providing guidance in helping deal with this complicated stuff, especially on the home front.

  13. michael says:

    good overview of threats

  14. Jean says:

    The video is scary. Sounds like a movie plot.

  15. Always Learning says:

    Since the development of malicious code is a problem, universities should incorporate better coding techniques within their computer teaching curriculum.

    • xyzzy says:

      few university programs have even a hint of a clue about what’s going on in the real world. and universities don’t teach ‘coding techniques’, but theory instead. while theory is nice for “computer science”, it’s less useful for “software engineering,” the actual application of practices for the development of software.

  16. Harold Syms says:

    Interesting and informative video.

  17. Brenda Sue Pickering says:

    I cannot hear video due to my being deaf!

    • Lydia says:

      The links provided above each video take you to the TED site. On that site, there is an option below the TED video window to select “Captions” and select a language for the captions. Then click to play the video and the speakers words will appear in text at the bottom of the video screen.

  18. Elastic Man says:

    Insider (disgruntled and or careless) threats can be minimized by only granted access to those who really need it. Carte Blanche data access is *NOT* the way to go!

  19. Kubla says:

    Interesting video. Its cool how they reverse engineered stuxnet to learn more about it.

  20. Bob Pope says:

    The information on home computer security was both interesting and useful.

  21. PG says:

    Very informitive and important

  22. I love the Home Threats section. I find that often people forget the risk doesnt go away when they go home.

  23. colston says:

    Keep these issues in mind when using other PCs (kinkos, library), wifi (coffe shop) and don’t forget about apps like skype, etc.

  24. LDD52412 says:

    Learned a few lessons from the Katrina. Everyone needs some type of a backup scheme for home as well as for there small businesses. As the price of backup method have decreased in the past few years there is no reason except stupidity not to have a backup method in place.

  25. Evolution thru growth says:

    So we have learned here that the leveling of the playing field is apparently not the same. The Banks have shortened their liability time to 24 hours, while we as human beings are expected to use the Internet to check our balances daily electronically with the same organizations that do not have the same requirements for firewalls as the individuals who are trying to protect their equipment. Just something to consider….

    • Lydia says:

      Business accounts and personal accounts fall under different regulations. Individual accounts have up to 30 days FROM THE DATE THE MAILED STATEMENT WAS SENT to find and report corrections on the statement. Business accounts only have 24 hours FROM THE TIME THE TRANSACTION WAS POSTED to inform the bank and not be held liable. Brian Krebs, formerly a reporter for the Washington Post has been a lone crusader trying to get that information out to small businesses, local governments, non-profit organizations — anyone with a business account. http://krebsonsecurity.com is an excellent, readable, reliable source of information on computer security.

  26. Chris says:

    The use of social engineering against my son nearly worked but fortunately my son got suspicious and asked me if he should consult with someone online to help fix a problem with his game console that was asking for a password to offer assistance. Once he asked me about it, then denied the other person his password, the other person revealed their true nature and text ranted about how stupid he was, etc. My son was happy to have saved himself from this person but it was nearly a missed opportunity. He had already entered his password, but didn’t hit send when he asked me about it.

  27. chris says:

    Good overview and very interesting video.

  28. Charlie says:

    Good training for once.. actually learned something

  29. 87251 says:

    I know to teach my child not to talk to strangers on the internet but I didn’t think I needed to warn him not to share his password with other family members!

  30. Ed says:

    Very impressed that the use of reference articles are very recent and that ted.com is also used within this training – not your father’s old computer based training class.

  31. LV says:

    Are there any unique or special threats to Apple computers?

    • Lydia says:

      Apple software is subject to the same number of vulnerabilities as are any other software programs as is explained under VI. Programs. What has saved it so far is that Apple has had so much less of the market share compared to Windows, so it’s less profitable for crooks to write exploits to steal information from Apple devices. As iPhones and iPads gain market share and capabilities of financial transactions via smartphones ( e.g. iPhones) becomes widely used, they also will become as exploited as Windows is now. There is a link on one of the pages to a newly released Mac virus (June 2011). What was frightening, was Apple’s total denial of the fact there was malware on their machines and their instructions to their help desk to deny any problems.

  32. TM says:

    For all of us who think that billing paying is a breeze at home. We may just rethink that the “stamp” at 42 cents; may still be the way to go.!! Have you written any letter lately; not emails; but true handwritten letters?

  33. cxs says:

    interesting

  34. IT Geek says:

    I thought the article on Securiing Government systems to be very interesting. As someone tasked with improving security and protecting data systems, I hope the take away for this training is that it is an important task and while painful at times it is NECESSARY.

    The corporate data that we protect is valuable and is treated as such.

  35. cjt says:

    Interesting stuff and some good things to keep in mind to stay secure

  36. NM says:

    Good information on Advanced Persistent Threat (APT)

  37. DH says:

    I did not know that data stored on CDs or DVDs have such a short life span.

  38. IT Person says:

    What was Stuxnet and why was it so revolutionary?

    It is the first discovered malware that spies on and subverts industrial systems and the first to include a rootkit.

  39. CWJ says:

    The Stuxnet virus is an amazing piece of software engineering. The virus is the cyber equivalent of two smart bombs targeting one system to impede the progress of the Iranian nuclear program. The real scare is the fact that Ralph called it “generic” and that it could be used against numerous targets, mostly within the US, Europe and Japan.

  40. Arctic says:

    Interesting, the use of YouTube was a good way to communicate the overall intent of the info.

  41. leewelch32 says:

    the ISECOM was a very handy, you don’t know how many times family ping you for help this will be great link for them too.

  42. OctalMan says:

    5 to 10 years is a minimum for CDs and DVDs. See http://www.osta.org/technology/cdqa13.htm and http://www.straightdope.com/columns/read/2410/do-cds-have-a-life-expectancy-of-10-years. What people really need to do is make copies to denser media every few years. We also need to be aware that spreadsheet and wordprocessor formats are not forever, either.

  43. Longshot9 says:

    Nice break down of the Stuxnet reverse engineering process.

  44. uptg says:

    The APT information was very informative as well as the video

  45. TSB says:

    This section was a good reminder that cybersecurity or Information security is not just the responsibility of only the IT security engineers or IT department but the responsibility of every user, whether it’s at home or at work.

  46. Buster says:

    Don’t forget to have backups of your backups. An offline hard drive is easy enough to back up to, but you should also back up to DVD.

  47. Guest says:

    I am rethinking online banking, even with my home security software. The banks can not even keep their own money safe!

  48. Elaine says:

    Stuxnet showed the next generation of possible cyberattacks that may be targeting not just computer networks, but electric grids, transportation centers, and just about everything that depends on computers and that means every aspect of our lives.

  49. Mike says:

    Home security is becoming more and more important since we use computers for many of our banking and purchasing roles. You can never be too sure of who is looking at your data.

  50. RS says:

    I always thought you never have enought backups. Also, this reminds me to teach my grandchildren about the do’s and dont’s about passwords/security of computers.

  51. Mark D. says:

    That TED presentation with Ralph Langner was fascinating. Frightening too. “Cyber weapon of mass destruction”, more like cyber-weapon of global destruction? I mean, the thought of a kind of worm that’s generic enough to go just about anywhere, including reactors, adjusting valves outside specified parameters to eventually crack (driving maintenance engineers crazy!) just paints a pretty grim picture of what’s possible.

  52. AID says:

    Learning about types of threats and how to secure the systems is very useful information.
    Knowing about organized crimes, Advanced Persistent Threat are really scary.

  53. EGK says:

    Our digital lives are mere extensions of our physical (analog?) ones and we should expect to see the same class of problems in both. Theft, crime, espionage and all kinds of threats will continue to exist in the digital world just like they do in the physical one. One distinguishing benefit we have with the digital world is that we can duplicate our assets and distribute them for protection & redundancy. This is not possible for most things physical. If you lost your watch, you lost your watch — live with it or buy another. With the digital world you expose your assets to a wider audience of criminals.

  54. Hugh says:

    Lock your screen when you walk away from your computer, log off at the end of the day and keep your password to your self and just pray that the virus software is doing its job.

    That’s all I have to say about that.

  55. DJM says:

    Children need to be taught the dangers of the online world. A child using a family computer can easily and unknowingly infect the computer with a virus.

  56. gfr says:

    CD only lasting for 2-5 years….that is scary

  57. Beelzebubba says:

    Next time I see an ad for an assembly language expert I’ll think twice…

  58. noname says:

    We’re living in the “Wild West” of electronic information. Newer technologies may bring even more threats.

  59. Kevin says:

    Very good video on Stuxnet (and Hasselhoff), cyber security, and vulnerability.

  60. 52601 says:

    Interesting video on stuxnet.

  61. Mr. E says:

    I really enjoyed the Stuxnet video. I wonder what new security procedures have been put into place in Iran as a result of Stuxnet.

  62. Sharkman says:

    While I still believe that most people are good-hearted and trustworthy, as is always the case in the human condition, there are those out there (cyber space) that ruin it for everyone else. Sadly the stakes are so high that you have to proceed with caution in every and all transaction, even when it doesn’t involve money. Sometimes it’s just PII, which could have even more detrimental effects. Tread lightly it’s a minefield out there!

  63. April says:

    Certainly didn’t know that businesses had only 24 hours to notify their bank of a security breach.

  64. JRB says:

    This will make good reading for son going off to college. Need to be aware of the threats, especially with Facebook usage.

  65. Still Learning says:

    The video on Stuxnet is very scary and dangerous.

  66. IT Manager says:

    knowing how your information can be compromised and used is the first step. I’m sure most people think that their home PC is too insignificant to be compromised (wrong) by hackers.

  67. kassim says:

    Be part of the solution, and participate as you can with some type of activities in your local community.

  68. Not to mention its access to several databases online that
    contain everything that you need. 4, most California assurances may be
    cleaned from the records of law-respectable citizens.
    The maximum incarceration period is usually limited to one year or
    less.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s