Classifying complex threats

Information security threats may be classified according to a large number of categories, which are often seen as being complex.

Research on the subject typically provides specific examples of threats, but tend to steer away from a rigid classification framework. This is partly due to those attempts trying to provide a hierarchical structure to the analysis.

Information security threats are complex in nature, and avoid such analysis by inherent commonalities between hierarchical trees. Thus, the threat classes mentioned below are not exclusive and a single threat may belong to several.

In this series, I attempt to provide a high-level classification/taxonomy of information security threats. A threat in this context is defined as the enabling circumstance that an entity may use to harm another entity, through a process of exploitation of vulnerability inherent in a resource, leading to increased risk or direct negative impact.

In its simplest form, fraud is defined as gain through misrepresentation. This may be expanded further to include deception that is made for personal gain.

Stored information or communications may be subject to alteration by malicious entities.

Frans Sauermann is information security consultant for Tsepo Technology Consulting.

The rise in the importance of information has given prevalence to specific types of frauds that are committed. In its most abstract form, these classes of frauds are defined as confidence tricks and identity theft.

A confidence trick is a specific type of fraud that is defined as an attempt to intentionally mislead a person with the goal of financial or other gain. This includes techniques such as social engineering.

Identity theft is the wilful illegal misrepresentation of identity by a person or organisation with the intent to either harm or gain financially from a victim.

Collusion is an attempt made by two or more entities to bypass segregation of authority as dictated by a governing body in order to gain unauthorised use of assets.

This class of threat causes outages of service availability of its target through manual or automated disruption methods to critical resources.

Where critical resources are aggregated, such as a single point of entry, the impact is often bigger.

With any transaction between parties, both parties may be legally bound to uphold the terms as agreed via oral, written or other contractual means.

In information security, repudiation is the denial of one party that an electronic transaction occurred on the basis that insufficient evidence exists to prove it.

In the chain of events that eventually lead to the successful exploit of vulnerability, an attack process requires various staging points.

Certain threats only exist to satisfy pre-conditions for other threats to successfully exploit vulnerabilities. These threats are not an end in itself, but provide a steppingstone for further advancement in attacks.

Better known as spying, espionage is the act of obtaining classified information without the permission of the holder of the information.

This type of threat primarily aims to avoid detection, while at the same time obtaining information that can be used for a variety of goals, typically financial or military gain.

Signal capture threats involve the passive or active physical capture of communications signals that was not intended for the party who captured it. These threats usually arise from the electronic capture of radio, light and other electromagnetic waves.

For purposes of the analysis, this refers to the highest level that the signal can be processed.

Stored information or communications may be subject to alteration by malicious entities. In information security terms, the active alteration is generally referred to as Man-In-The-Middle attacks.

Along with the usual definition of theft, information theft brings in the possibility of the theft of information, devices or media that hold information.

In most capitalist systems, the owners of assets have the right to use these assets as well as granting delegation of authority for use of assets.

Assets can be either physical, such as servers, or abstract, such as information databases. Unauthorised use of assets may be to the detriment of asset owners.

Vandalism is the defacement or destruction of assets, a symbol, documentation, Web sites or anything else that goes against the will of the owner, normally focused around a specific social intent.

In information security terms, this is normally referred to as spam. The common definition of spam is tightly identified with e-mail spam; however, lately other forms of spam have arisen such as blog spam, SMS spam, link spam and VOIP spam.

For purposes of information security, the definition of unsolicited marketing may be expanded up to the point of marketing list reselling as well as junk mail.

* Frans Sauermann is information security consultant for Tsepo Technology Consulting.