A threat is “a person or thing likely to cause damage”, but what does this mean in the context of information security?
Threats are actions perpetrated by groups or individuals that pose a danger to either the confidentiality, integrity or availability (CIA) of an organisation’s information. For example, when an organisation’s data is breached, it is an attack on confidentiality as the information is no longer known only by the organisation that owns it. Attacks on integrity often involve money and include actions such as changing information in the HR database so that people are paid more or less than they should actually earn. One of the best-known attacks on availability is the Petya family of malware which has been seen since around March 2018. Petya variety malware targets Windows systems, infects the master boot record to encrypt the file system, making it impossible to access any files. The malware generally then demands a bitcoin ransom to get the files back.
The groups or individuals perpetrating the attacks on CIA differ from company to company however usually fall into the following broad categories: Nation States, Organised Crime Groups (OCG’s), Hacktivists, Opportunistic Hackers, Competing Enterprises and Insiders.
Nation States are well funded and build sophisticated, targeted attacks. They are typically motivated by political, economic, technical or military agendas and are often looking for competitive information, resources or users that can be exploited for espionage purposes.
OCG’s are made up of cyber criminals engage in targeted attacks driven by profits. They are typically either looking to hijack and ransom critical digital resources or for the personally identifiable information (PII) of customers or employees.
Hacktivists are motivated by a political agenda and their goal is to either create high-profile attacks that help them distribute propaganda or to cause damage to the organisations that they are opposed to. The ultimate goal is to find a way to benefit their cause or gain awareness for their issue.
Opportunistic hackers usually work alone or in small groups and can be any skill level. They may be amateur criminals driven by the desire for notoriety, legitimate security researchers trying to help organisations find and close security vulnerabilities or even professional hackers, looking to profit from finding and exposing flaws and exploits in network systems and devices. Competing enterprises may hire hackers to perform espionage to steal company secrets or intellectual property.
Broadly speaking there are two groups of threats that organisations face: internal and external. Insiders pose the largest threat to any organisation through either nefarious actions or accidental mistakes.
Malicious insiders are typically disgruntled employees or ex-employees either looking for financial gain or revenge after being passed over for a promotion. They may also be collaborating with other threat actors, for example if they have been bribed by a competing enterprise or blackmailed by nation states or organised crime groups.
User error is the largest threat an organisation faces as it is commonplace and has a high impact. These threats exist largely due to failing to design flows out of the network, or by providing privileges to individuals who should not have them. Additionally, untrained employees will fall for phishing campaigns, and may give away their data or passwords without realising it or may simply accidentally download malware.
According to the 2018 insider threat report by CA technologies, roughly 50% of companies have experienced an insider breach in the past 12 months. Many of the breaches reported in the news are started by insiders either stealing or leaking data themselves, or by leaving it on public IP addresses for others to access. In such cases it is difficult to determine whether the user was acting maliciously or negligently.
Insiders have an advantage over other threats: they know the organisation from the inside out. Insiders will know the organisations security policies, how effectively they are enforced and how to get around them.
Insiders also have legitimate access to the organisation to a greater or lesser extent depending on their privileges and have more options on how to exfiltrate data. For example, users can put data onto a USB, upload it to their private cloud, email it to themselves, or even print it out and take it home. External threats are usually limited to exfiltrating data through a command and control tunnel, limiting their exposure.
Managing external threats therefore means managing the networks vulnerabilities and ensuring that there are no back doors open, or unsecured public IP addresses. The threats from insiders must be tackled in a different way, which starts with an IDAM strategy.