Now that we’ve covered some of the theory and understood the issues at stake, the types of asset that can be affected, together with the possible impacts, we can continue by examining the vulnerabilities that can permit many of these threats to occur, and then move on to the main threats that can be the cause of cyber issues.
Business Continuity Cyber Vulnerabilities
Vulnerabilities are weaknesses in assets that can be exploited by threats. Typical examples would be little or no access control in computer systems, or poor physical security at the organization’s buildings.
It is not unreasonable to imagine that most vulnerabilities are of a technical nature, but this is actually far from correct. It is true that many vulnerabilities are technical, and many are solved by applying technical solutions. However, there are other types of vulnerability that can allow cyber threats to be successful, such as processes and people-related vulnerabilities.
Every time a vulnerability is identified, there may be additional data available regarding whether the vulnerability is known to have been successfully exploited, and whether there might be known controls are already available that will permit some degree of mitigation of the vulnerability, either fully or in part.
Even the most thorough risk assessment might not identify every vulnerability that could affect the organization, and since new vulnerabilities will emerge over time, vulnerability assessment should be revisited regularly.
Let’s now consider the various types of vulnerability that we may experience. From a cyber perspective, these tend to fall into one of five distinct areas:
- Access control failures
- Systems acquisition, development, and maintenance procedures
- Physical and environmental failures
- Operational management failures
- People-related security failures
Access Control Failures
Access control is used both to permit access to information resources for persons who are authorized and to deny access to persons who are not authorized to access those resources. Access control failures are one of the main means by which successful cyberattacks take place.
There are two general areas where access control failures occur. The first is the failure to change users’ access rights when they are changing their role within the organization, and especially the failure to revoke all access rights when users leave the organization. Additionally, there is a widespread failure to restrict the use of system utilities, which can allow users themselves to change the configuration of their computers, potentially reducing the strength of the security settings.
The second area is that of failures in user password management, in which users are allowed to use easily guessed passwords; in which the default accounts and passwords of systems are not changed; and where the use of embedded passwords in software applications is permitted.
Systems Acquisition, Development, and Maintenance Procedures
At one time or another, all organizations update older systems and software, acquire new ones, and also develop new software applications. It is essential that selection and development is carried out in a formal and controlled manner and that criteria which include appropriate security features are considered. Rigorous analysis and testing of new software is required in order to discover whether or not it contains known vulnerabilities (it often does), and these kinds of vulnerability frequently go unnoticed until they result in serious consequences later on. The root cause of this is often as the direct result of a desire to achieve cost savings.
In order to avoid these kinds of vulnerabilities, the organization should define and adhere to clear functional purchasing and development specifications, avoiding the use of untested and unauthorized software.
Another cause of vulnerabilities is the failure to validate data entry, such as entries that exceed a defined number of characters, resulting in application software failing, often into an unpredictable state, and allowing buffer overflow attacks to be successful.
One of the most critical errors is the failure of organizations to plan for the disaster recovery of business-critical systems. We shall deal with this area in much greater detail in Chapter 7.
Physical and Environmental Failures
Physical security defects are normally highly visible, not only to staff but also to potential intruders, allowing them to gain access to an organization’s buildings and ultimately their systems with the result that a local cyberattack can take place as opposed to a remote attack. The presence of robust security measures is generally sufficient to deter intruders, but it is vital that these measures are well maintained.
Such measures include controlled access to premises, especially to sensitive areas such as equipment rooms and cabling closets, and particularly with regard to doors and windows.
Environmental vulnerabilities that result in cyber-related issues tend to arise from the environmental subsystems that underpin major premises such as power supplies, cooling, and humidity control systems. Imagine the consequences of remotely shutting down the air-conditioning plant at a major data center.
Operational Management Failures
Failures of operations management provide endless opportunity for vulnerabilities to be successfully exploited, whether these are deliberate or accidental. Underpinning operational management failures are almost always issues with policies and procedures—either through the failure of users and security staff to observe them or the failure of the organization to produce them in the first instance.
Operations management failures include the failure to ensure that the appropriate segregation of duties is observed, especially where security staff can change the access permissions of users, the absence of audit trails, things that ensure that anomalies can be identified easily, and the segregation of test and production systems.
Failure to ensure robust network monitoring including intrusion detection can result in users bypassing security systems by installing their own wireless access points in order to gain unauthorized access both to internal networks and to unprotected public networks. This kind of operational failure also includes the need for formal Bring Your Own Device policies.
Another area in which operational management failures occur is in the failure to keep malware protection up-to-date, in patching of operating system and application software, and in operational change management procedures, all of which can result in successful cyberattacks, taking advantage of vulnerabilities in older versions of software and in more recently introduced malware.
People-Related Security Failures
People-related security failures are caused by mistakes or oversights by the organization’s users and operational staff. They are mostly related to policies, processes, and procedures that require them to follow prescribed instructions, such as avoiding selecting attachments in unsolicited e-mails or in the case of unsupervised work by third-party organizations or by staff who work outside normal business hours.
However, other types of people-related security failures are the result of deliberate actions by demotivated or disgruntled staff who seek to disrupt the organization’s business activities by causing damage for a real or perceived injustice of some kind. This can include such things as deleting or changing information, or copying sensitive company information and selling it to other interested parties—competitors for instance.
We should not overlook actions by staff who have been deliberately infiltrated within the organization in order to steal the organization’s IP, and this aspect of operational failures must be linked to the organization’s human resources policies regarding verification of the credentials of job applicants.
Data Stripping
When an organization develops its public-facing website, it is extremely common to update the contents at regular intervals—often many times daily. When new information is placed on the website, one aspect that is frequently overlooked is that of the metadata that accompanies the information itself.
An innocuous document can easily contain information that identifies the name of an employee, his or her internal username, versions of software used to produce the website information, dates, times, and locations of photographic images, and the network names of computer systems used in the organization. All of these can easily be recovered automatically by an attacker, using a technique known as “scraping.”
Having acquired this metadata, the attacker would then begin to target the users via social media or e-mails to their work address, and would try to exploit known vulnerabilities in the software of systems on the organization’s network.
When developing or updating their website, the organization should always ensure that this metadata is stripped out of any documents before they are and placed online.
The Internet of Things (IoT)
The IoT, in which almost anything that can be internet-connected, and can be accessed from anywhere, is firmly with us. Light bulbs, central heating thermostats, white goods, door locks, and children’s toys are just a few of the many household items that can be part of the IoT, which, therefore, deserves a section all to itself, since it—or at least the things that combine to make it—represent real potential for cyber vulnerabilities. Indeed, many have already been discovered.
The so-called top ten IoT issues listed in a report1 by the Infosec Institute give us some idea of the range of issues that the IoT may bring us.
The main item on the list is that of the so-called “shaky web interface”—the means by which the device is controlled by an application—whether on a computer or smartphone. Many of these are poorly written, and either do not function as they should or worse still leak personal data. While this is just one of the 10 issues on the list, it has ramifications across the board. The applications that are used to access it may also exhibit poor performance or security weaknesses, and in some cases may not have any security at all. Even when they do, the security aspects of the device may be basic at best, and may allow the user to turn them off completely.
Not least of the issues are those affecting so-called “intelligent personal assistants” (IPAs). These come in a variety of forms—some as an application on smartphones such as Apple’s Siri or Microsoft’s Cortana, or built into a hardware platform such as Amazon’s Echo/Alexa system, Apple’s Homekit or Microsoft’s Xbox.
These IPAs respond to the human voice and will undertake a variety of actions when triggered. In most cases, they will simply attempt to turn the voice command into an Internet search, but if a connection has been made with another IoT device, they can also to cause it to undertake some action, for example to turn a light on or off or to adjust the room temperature. In early 2017, a young girl asked Alexa to get her a doll’s house, and a few days later a $160 doll’s house was duly delivered. This alone was bad enough, but when a San Diego news reporter repeated the girl’s request as part of the program, Echo/Alexa devices all around the area, upon “hearing” the reporter’s voice on a nearby television, began trying to order doll’s houses as well.2 You can appreciate the funny side of this, but there is a far more sinister aspect to it.
When the IPA can command a door lock device to open, things become rather more interesting. When the householder is away, a thief could (at least in theory) call the house telephone, and when the answerphone cuts in, simply say “Alexa, open the door,” and you can imagine the rest.
In January 2017 at the Seehotel in the town of Jagerwirt in Austria, the hotel’s computer systems were compromised as a result of clicking on an attachment contained in an e-mail, and guests were locked out of their rooms.3 The attackers demanded two bitcoins (about $1,800 at the time) as a ransom, which the hotelier agreed to pay. He later changed the room locks back to normal the more traditional metal key type.
In an effort to distinguish themselves from other companies, some manufacturers develop their own communication protocols that do not follow industry standards, and while this may provide them with a degree of exclusivity, it usually means that the user cannot manage his or her device in harmony with the remainder of those in the household. Naturally, when events come about that harmonization is necessary, those manufacturers are left with the problem of rewriting their software from scratch, and the users may find that their devices cannot be updated and are now virtually useless!
One of the most serious potential problems is that of any user data that is held on the IoT device itself—most manufacturers give no thought as to how the user can ensure that this is deleted when they sell or otherwise dispose of the device.
Despite their usefulness, there is a considerable way to go before IoT devices can truly be safely used in the home environment, and any organization that uses them in its offices, factories, or warehouses must be very certain of what it is placing at risk if things go wrong.
Business Continuity Cyber Threats
Threats are actions or events that result in unwanted consequences. They are usually assumed to be man-made, where an attacker displays a degree of motivation as in the case of IP theft. Some threats may never be carried out, but the organization must be aware of them and prepared to take remedial action in case they are.
While there are no hard and fast delineations of threats, I have grouped the most common ones below, and we’ll take a brief look at each in turn:
- Malware
- Social engineering
- Information misuse and abuse
- Errors and failures
- Hacking, including defacement, sabotage, and Denial of Service (DoS)/ Distributed Denial of Service (DDoS) attacks
- Loss of key information, IP and financial theft
Malware
The term “malware” refers to malicious software that is used to attack an individual’s or an organization’s information systems. Examples of malware include worms, viruses, and Trojans—software entities that are specifically designed either to collect, damage, or delete information, or to cause harm to an information system, its operating system, or software applications. Malware is invariably concealed from the user; occasionally self-replicating, or being attached to an executable program, and if carefully tailored can quickly spread to other systems when unwittingly activated by the user.
Some types of malware go to enormous lengths to conceal their existence, and can be disguised as legitimate software or data. However, their purpose is invariably malevolent.
Rootkits, on the other hand, are often more devious still, as they may contain a variety of malware types, each designed to undertake a different task, for example changing access permissions prior to recording information and sending it to an external recipient.
Spyware generally does just that—it records keystrokes, collects useful information, and reports back to the attacker, who may then launch a targeted attack on the basis of the information received, often using one or a number of a rootkits to achieve his or her goal.
Botnet clients are an unusual form of malware, in that they comprise a collection of slave computers—bots, short for robots—that are used to execute an attack elsewhere, for example in DDoS attacks. The bots are controlled by one or more so-called bot herders which instruct the bots to undertake the attack. Botnets are also used in delivering Spam.
Finally, ransomware has become big business. Some form of malware will cause total disruption to a user’s computer—normally it will encrypt parts of or the entire hard drive—and will notify the user that they cannot now use the system. It will demand payment—usually in Bitcoins—in order to provide the decryption key to unlock the encrypted information.
An excellent recent example of this is from March 2016, in which an American health care provider was attacked.4 The attackers demanded a ransom to unlock the computers used to access patient records, resulting in systems being rendered useless, and staff having to resort to pen-and-paper records until the problem was resolved.
More recently, the WannaCry virus caused worldwide problems in May 2017 with much the same aims and impacts. This exploited vulnerabilities in a number of Microsoft Windows operating systems, and within one day of its release, had affected almost a quarter of a million computers in more than 150 countries. Most of these were running Windows 7, and which critically had not been updated with the latest available security patches.
Soon after this, another virus known as Petya struck. Again, this was ransomware, and had much the same result. However, sometime later in 2017, a virus known as NotPetya appeared, and this—although it bore a strong resemblance to Petya—was not ransomware, but was merely designed to cause chaos, which it did very successfully.
One of the organizations affected by the NotPetya virus was the worldwide distribution company TNT, owned by FedEx.5 Its operations were seriously disrupted by the attack, and since the attackers had not designed the attack to demand a ransom for encrypting the hard disk drives of affected computers, there was no provision for obtaining a decryption key.
FedEx estimated that the attack had cost the company $300 million. The attack has since been attributed to Russia by both the UK and US cybersecurity agencies.
Social Engineering
The technique of social engineering is widely used by attackers to acquire information concerning access to systems so that their subsequent activities are greatly simplified. There are the more traditional forms of social engineering in which an attacker will attempt to engage conversationally with a user often by telephone or e-mail; but an attacker might also disguise malware as a legitimate web link, data, or software in an e-mail by mimicking the house style, naming conventions, or language of a major corporation. For example, the attacker may e-mail a user purporting to be the latter’s bank, but where an embedded link directs the user to a website that contains malware. Some examples of social engineering threats include spoofing—masquerading and impersonation of legitimate organizations; phishing—usually a targeted attempt to collect user credentials; and Spam—which floods users with unwanted e-mails in the hope that some of them will take the bait.
Attacks have already changed from the more traditional approach to those that use psychological methods to target the user, such as curiosity, urgency, and seasonal greed.
Sometimes, however, it is relatively easy to tell whether or not an e-mail or web link is a phishing attempt simply by examining the language—grammar and punctuation especially. If the message is examined by a human, the human’s familiarity with the sender or sending organization, the method of greeting, and the context of the message will allow a high degree of likelihood that the phishing attack will be avoided. However, even the smartest machine-based tool may let it through.
The incidence of phishing attacks aimed at social media accounts was reported as having increased by 500 percent in the final quarter of 2016.6 Since then it will have increased still further as the number of social media subscribers has grown.
Misuse and Abuse
While hacking attempts usually originate from outside an organization, misuse and abuse normally originate from within it. The result may be the same for either type of attempt, but in the case of misuse or abuse, the internal user has the great advantage of already being inside at least some of the organization’s security systems. He or she may also have appropriate access privileges as well as the passwords to match. Therefore, the threat from an internal attacker potentially represents a significantly increased chance of success than that of an external attacker.
Misuse and abuse threats include the modification or escalation of privileges that will allow the user to gain access to information and systems to which he or she is not entitled, and which could ultimately be passed to an external attacker. The threats can also result both in application software and business information theft.
Errors and Failures
Errors and failures are everyday events. Errors are made by users and technical staff, sometimes as a result of poor awareness or skills training, and are not usually ill-intentioned. Failures are caused by something that has ceased to work in the expected way, and again are not malevolent.
Some frequent examples of error and failure threats include software failures, resulting in application or system crashes, and also where interdependencies between software applications have not worked correctly. System overloads are also a kind of software failure, but in which the software has been stressed beyond its design parameters—for example when a DDoS attack occurs. Finally, hardware failures still occur from time to time, even though modern hardware is designed to be highly reliable. Some (but not all) hardware failures can be mitigated using techniques such as redundancy and disaster recovery.
Hacking
Although hacking’s origins represent the activities of electronics hobbyists and enthusiasts many years ago in order to explore how computers worked and how they could make them work better, the term is now applied to many forms of illicit behavior. Hacking nowadays invariably results in a breach of confidentiality, integrity, or availability by infiltrating systems and intercepting traffic with the express intention of stealing, changing, or deleting someone else’s information. Hacking is also used to deliver DoS and DDoS attacks, designed to prevent legitimate access to systems.
Hacking in these terms is now treated as a crime, since it almost always involves access to another person’s or organization’s systems without their permission.
It is becoming increasingly common to read stories in the media about hackers stealing large volumes of information, for example user identifiers, passwords, and credit card details, and then selling this information on to criminal gangs, or using it themselves in fraudulent transactions.
Hackers range from lone individuals through loosely knit or organized groups to the employees of nation-states, whether directly or indirectly employed. Regardless of their objectives, motivation, shape, and size, the damage hackers can cause is enormous, and the availability of hacking tools on the Internet (either free or at very low cost) has drastically reduced the level of skill required by hackers to achieve their aims.
The Loss of Key Information and IP and Financial Theft
The theft of information or IP can have extremely serious consequences for any organization, whether this causes customers to lose faith in its ability to protect their sensitive (often personal) data, damages the organization’s value on the national or international stock exchanges, or provides its competitors with information that they can use to their advantage.
Financial theft will always remain a major threat. The bank robber Willie Sutton (no relation, I am happy to say) was quoted as saying that he robbed banks “Because that’s where the money is.” While this remains true, it is significantly less risky and usually more lucrative for a thief to use a computer to steal money remotely than it is to hold up the bank’s staff with a shotgun.
As threats go, the theft of business-critical information or money is one that will often bring an organization to its knees very rapidly, and from which it may struggle to recover.
As we shall see in Chapter 7, there are methods that can be used to protect the business against many of these vulnerabilities and threats or at least to reduce their effectiveness.
Threat and Vulnerability Assessments
Some business continuity practitioners argue that the threat and vulnerability assessments should be undertaken in advance of the impact assessments; others will disagree and opt for the reverse arrangement. In practice, either approach will work, provided that the information assets have been identified, but it may even be helpful if possible to undertake the threat and vulnerability assessments at the same time as the impact assessment work, since the owners of the information assets may already be aware of potential threats and vulnerabilities, ensuring that nothing is overlooked.
In such cases, additional, more detailed threat and vulnerability assessments can be undertaken later in the process by cybersecurity specialists.
For each threat the assessment identifies, there may be additional data on the frequency of events when the threat has been known to have been successfully used.
Finally, it must be borne in mind that threats can cause an impact only if the information asset presents some form of vulnerability that the particular threat is able to exploit.
Summary
In this chapter, we have examined the kinds of vulnerabilities that can lead to successful cyberattacks and the various types of threat that can cause them. In the next chapter, we shall examine the various high-level options for either preventing cyberattacks where this is possible, or for responding to them when they occur if it is not.
__________________
1See resources.infosecinstitute.com/the-top-ten-iot-vulnerabilities
2See https://www.theregister.co.uk/2017/01/07/tv_anchor_says_alexa_buy_me_a_dollhouse_and_she_does
3See https://www.nytimes.com/2017/01/30/world/europe/hotel-austria-bitcoin-ransom.html
4See https://www.tripwire.com/state-of-security/security-data-protection/ransomware-forces-hospitals-to-shut-down-network-resort-to-paper
5See https://www.infosecurity-magazine.com/news/fedex-notpetya-cost-us-300-million
6See https://www.infosecurity-magazine.com/news/social-media-phishing-attacks-soar