In this series, I attempt to provide a high-level classification/taxonomy of information security threats. A threat in this context is defined as the enabling circumstance that an entity may use to harm another entity, through a process of exploitation of vulnerability inherent in a resource, leading to increased risk or direct negative impact.
My previous Industry Insights provided the methodology and classification guidelines in terms of the type of threat. This time, I provide examples of contemporary threats that fall under the same generic grouping.
A threat group is a generalised known process or common method whereby exploitation of vulnerabilities occur. These groups provide higher-level classification of a chain of specific threats according to the exploitation processes that they follow.
According to Gartner, the 2006 hype cycle included the following threat groupings on the rise:
* Mashup exploits: The Web 2.0 concept of XML-based information that can be mixed and matched together could enable malicious code to be embedded into page portions.
* Database worms: The recent rise of embedded application code in databases has also brought with it a rise in the risk a database faces when attacked.
* RFID: Recent developments, such as JavaCard, have enhanced the capabilities of RFID chips and smart cards, but also increased the risk of exploitation.
* Code reverse engineering: In the past, vulnerabilities were difficult to find in closed source software. However, via pattern recognition, it is becoming easier to identify vulnerabilities in closed source software.
* Device driver exploits: In an operating system, device drivers operate at a lower level than normal programs, meaning it has more access to the CPU than other programs have. Exploitation of device drivers may sometimes even be traced back to the OEM.
* Rootkits: Rootkits are special variants of virus programs specifically designed not to be detectable by normal inspection mechanisms.
A threat group is a generalised known process or common method whereby exploitation of vulnerabilities occur.
Frans Sauermann is information security consultant for Tsepo Technology Consulting.
* SOHO vulnerabilities: Work-related computers that are taken home by staff and configured for VPN connections to office networks open additional attack vectors for hackers.
* Service-oriented architecture exploits: A lot of functionality has shifted to the SOAP stack commonly used in SOA software. Remote procedure calls that are not secure are prime targets for security exploits by familiar mechanisms such as man in the middle attacks.
* Unmanaged network devices: Many devices owned by a corporation, such as laptops and mobile phones, are generally outside of the control of the IT department, leading to more exposure for the corporation.
* XENO threats: Companies that connect with overseas partners via Extended Enterprise Networks Overseas (XENO) are exposed to threats related to differing privacy, intellectual property and rights management laws.
* VOIP threats: Common exploits in the VOIP protocols have stared to show light of day. These also provide new angles of attack not previously possible. Many commercial VOIP systems are not securely configured, and the device is thought of as a telephone system rather than a computer system, thereby negating security.
* Financial backdoor Trojans: Trojan horse software has become specialised in focus. With the rise of Internet banking, Trojan horses have been created that steal customer credentials as well as do fraudulent transactions while the client is logged into the banking system.
* Insecure application development: Many threats are due to a vendor`s application development security practices.
* Malicious code variants: Recent virus programs have shown the ability to morph beyond the capabilities of anti-virus programs to detect them via signature-based mechanisms, rendering anti-virus useless on these programs.
Analysis of information security risk is not a trivial task. The issue may be addressed from both management as well as technical levels, but a common ground between the two domains is difficult to establish, due to the wide scope of applicable knowledge required.
* Frans Sauermann is information security consultant for Tsepo Technology Consulting.
Share