Threat (computer)
In computer security, a threat is a potential negative action or event facilitated by a vulnerability that results in unwanted impact to a computer system or application.
A threat can be either an negative "intentional" event or "accidental" negative event or otherwise a circumstance, capability, action, or event.
This is differentiated from a threat actor who is an individual or group that can perform the threat action, such as exploiting a vulnerability to actualise a negative impact.
Definitions
defines threat as:A more comprehensive definition, tied to an Information assurance point of view, can be found in "Federal Information Processing Standards 200, Minimum Security Requirements for Federal Information and Information Systems" by NIST of United States of America
National Information Assurance Glossary defines threat as:
ENISA gives a similar definition:
The Open Group defines threat as:
Factor analysis of information risk defines threat as:
National Information Assurance Training and Education Center gives a more articulated definition of threat:
Phenomenology
The term "threat" relates to some other basic security terms as shown in the following diagram:
+ - - - - - - - - - - - - + + - - - - + + - - - - - - - - - - -+
| An Attack: | |Counter- | | A System Resource: |
| i.e., A Threat Action | | measure | | Target of the Attack |
| +----------+ | | | | +-----------------+ |
| | Attacker |<
=||<
| |
| | i.e., | Passive | | | | | Vulnerability | |
| | A Threat |<
>||<
=> | |
| | Agent | or Active | | | | +-------|||-------+ |
| +----------+ Attack | | | | VVV |
| | | | | Threat Consequences |
+ - - - - - - - - - - - - + + - - - - + + - - - - - - - - - - -+
A resource can have one or more vulnerabilities that can be exploited by a threat agent in a threat action. The result can potentially compromise the confidentiality, integrity or availability properties of resources of the organization and others involved parties.
The so-called CIA triad is the basis of information security.
The attack can be active when it attempts to alter system resources or affect their operation: so it compromises Integrity or Availability. A "passive attack" attempts to learn or make use of information from the system but does not affect system resources: so it compromises Confidentiality.
OWASP depicts the same phenomenon in slightly different terms: a threat agent through an attack vector exploits a weakness of the system and the related security controls causing a technical impact on an IT resource connected to a business impact.
A set of policies concerned with information security management, the Information security management systems, has been developed to manage, according to risk management principles, the countermeasures in order to accomplish to a security strategy set up following rules and regulations applicable in a country. Countermeasures are also called security controls; when applied to the transmission of information are named security services.
The overall picture represents the risk factors of the risk scenario.
The widespread of computer dependencies and the consequent raising of the consequence of a successful attack, led to a new term cyberwarfare.
Nowadays the many real attacks exploit Psychology at least as much as technology. Phishing and Pretexting and other methods are called social engineering techniques. The Web 2.0 applications, specifically Social network services, can be a mean to get in touch with people in charge of system administration or even system security, inducing them to reveal sensitive information. One famous case is Robin Sage.
The most widespread documentation on computer insecurity is about technical threats such as a computer virus, trojan and other malware, but a serious study to apply cost effective countermeasures can only be conducted following a rigorous IT risk analysis in the framework of an ISMS: a pure technical approach will let out the psychological attacks, that are increasing threats.
Threats classification
Threats can be classified according to their type and origin:- Types of threats:
- * Physical damage: fire, water, pollution
- * Natural events: climatic, seismic, volcanic
- * Loss of essential services: electrical power, air conditioning, telecommunication
- * Compromise of information: eavesdropping, theft of media, retrieval of discarded materials
- * Technical failures: equipment, software, capacity saturation,
- * Compromise of functions: error in use, abuse of rights, denial of actions
- Deliberate: aiming at information asset
- * spying
- * illegal processing of data
- Accidental
- * equipment failure
- * software failure
- Environmental
- * natural event
- * loss of power supply
- Negligence: Known but neglected factors, compromising the network safety and sustainability
Threat classification
- Spoofing of user identity
- Tampering
- Repudiation
- Information disclosure
- Denial of Service
- Elevation of privilege
The categories were:
- Damage – how bad would an attack be?
- Reproducibility – how easy it is to reproduce the attack?
- Exploitability – how much work is it to launch the attack?
- Affected users – how many people will be impacted?
- Discoverability – how easy it is to discover the threat?
The spread over a network of threats can lead to dangerous situations. In military and civil fields, threat level has been defined: for example INFOCON is a threat level used by the US. Leading antivirus software vendors publish global threat level on their websites.
Associated terms
Threat agents or actors
The term Threat Agent is used to indicate an individual or group that can manifest a threat. It is fundamental to identify who would want to exploit the assets of a company, and how they might use them against the company.Individuals within a threat population; Practically anyone and anything can, under the right circumstances, be a threat agent – the well-intentioned, but inept, computer operator who trashes a daily batch job by typing the wrong command, the regulator performing an audit, or the squirrel that chews through a data cable.
Threat agents can take one or more of the following actions against an asset:
- Access – simple unauthorized access
- Misuse – unauthorized use of assets
- Disclose – the threat agent illicitly discloses sensitive information
- Modify – unauthorized changes to an asset
- Deny access – includes destruction, theft of a non-data asset, etc.
It is important to separate the concept of the event that a threat agent get in contact with the asset and the event that a threat agent act against the asset.
OWASP collects a list of potential threat agents to prevent system designers, and programmers insert vulnerabilities in the software.
Threat Agent = Capabilities + Intentions + Past Activities
These individuals and groups can be classified as follows:
- Non-Target Specific: Non-Target Specific Threat Agents are computer viruses, worms, trojans and logic bombs.
- Employees: Staff, contractors, operational/maintenance personnel, or security guards who are annoyed with the company.
- Organized Crime and Criminals: Criminals target information that is of value to them, such as bank accounts, credit cards or intellectual property that can be converted into money. Criminals will often make use of insiders to help them.
- Corporations: Corporations are engaged in offensive information warfare or competitive intelligence. Partners and competitors come under this category.
- Human, Unintentional: Accidents, carelessness.
- Human, Intentional: Insider, outsider.
- Natural: Flood, fire, lightning, meteor, earthquakes.
Threat source
Threat communities
;Threat communitiesThreat action
Threat action is an assault on system security.A complete security architecture deals with both intentional acts and accidental events.
Various kinds of threat actions are defined as subentries under "threat consequence".
Threat analysis
Threat analysis is the analysis of the probability of occurrences and consequences of damaging actions to a system. It is the basis of risk analysis.Threat consequence
Threat consequence is a security violation that results from a threat action.Includes disclosure, deception, disruption, and usurpation.
The following subentries describe four kinds of threat consequences, and also list and describe the kinds of threat actions that cause each consequence.
Threat actions that are accidental events are marked by "*".
;"Unauthorized disclosure"
;"Deception" :
; "" :
; "Usurpation"
Threat landscape or environment
A collection of threats in a particular domain or context, with information on identified vulnerable assets, threats, risks, threat actors and observed trends.Threat management
Threats should be managed by operating an ISMS, performing all the IT risk management activities foreseen by laws, standards and methodologies.Very large organizations tend to adopt business continuity management plans in order to protect, maintain and recover business-critical processes and systems. Some of these plans foreseen to set up computer security incident response team or computer emergency response team
There is some kind of verification of the threat management process:
Most organizations perform a subset of these steps, adopting countermeasures based on a non-systematic approach: computer insecurity studies the battlefield of computer security exploits and defences that results.
Information security awareness is a significant market. There has been a lot of software developed to deal with IT threats, including both open-source software and proprietary software.
Cyber threat management
Threat management involves a wide variety of threats including physical threats like flood and fire. While ISMS risk assessment process does incorporate threat management for cyber threats such as remote buffer overflows the risk assessment process doesn't include processes such as threat intelligence management or response procedures.Cyber threat management is emerging as the best practice for managing cyber threats beyond the basic risk assessment found in ISMS. It enables early identification of threats, data-driven situational awareness, accurate decision-making, and timely threat mitigating actions.
CTM includes:
- Manual and automated intelligence gathering and threat analytics
- Comprehensive methodology for real-time monitoring including advanced techniques such as behavioural modelling
- Use of advanced analytics to optimize intelligence, generate security intelligence, and provide Situational Awareness
- Technology and skilled people leveraging situational awareness to enable rapid decisions and automated or manual actions
Threat hunting
Threat hunting can be a manual process, in which a security analyst sifts through various data information using their knowledge and familiarity with the network to create hypotheses about potential threats. To be even more effective and efficient, however, threat hunting can be partially automated, or machine-assisted, as well. In this case, the analyst utilizes software that harnesses machine learning and user and entity behaviour analytics to inform the analyst of potential risks. The analyst then investigates these potential risks, tracking suspicious behaviour in the network. Thus hunting is an iterative process, meaning that it must be continuously carried out in a loop, beginning with a hypothesis. There are three types of hypotheses:
- Analytics-driven: "Machine-learning and UEBA, used to develop aggregated risk scores that can also serve as hunting hypotheses"
- Situational-awareness driven: "Crown Jewel analysis, enterprise risk assessments, company- or employee-level trends"
- Intelligence-driven: "Threat intelligence reports, threat intelligence feeds, malware analysis, vulnerability scans"
The SANS Institute has conducted research and surveys on the effectiveness of threat hunting to track and disrupt cyber adversaries as early in their process as possible. According to a survey released in 2016, "adopters of this model reported positive results, with 74 percent citing reduced attack surfaces, 59 percent experiencing faster speed and accuracy of responses, and 52 percent finding previously undetected threats in their networks."