Debi Ashenden

Subscribe to Debi Ashenden: eMailAlertsEmail Alerts
Get Debi Ashenden: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn


Related Topics: Sustainable Investment

Sustainable Investment: Article

Threat Assessment and Its Input to Risk Assessment

Risk assessment as a business process

The threat posed to such an intangible and volatile environment as an information system has never, to date, been successfully assessed. That is, it has not been carried out in a provable and replicable manner. In the past, the threat agents considered have been, primarily, either other nation states or terrorist organizations. An example of how difficult the problem is was highlighted in February 1998, when the U.S. Department of Defense computer systems came under what was, at the time, described as a systematic attack. The attack pattern was highly indicative of preparations for a coordinated attack on U.S. Defense Information Infrastructure at a time when the U.S. Air Force was being readied for a deployment against the Iraqi Regime. The attacks all appeared to be targeted against Department of Defense network domain name servers and were exploiting a well-known vulnerability in the Solaris Operating System. (Incidentally, the patch for the vulnerability had been available for quite some time.) The attack profile consisted of a probe to determine whether the vulnerability existed in the server, which was then followed by the exploitation of the vulnerability to enter the computer. Once into the system, the attacker would insert a program that gathered data and, at a later date, return to retrieve the data collected.

The attacks were widespread and appeared to be well coordinated, and a large number of the attacks followed the same profile. The attacks seemed to target key elements of the defense networks, and over the period the attackers collected a large number of network passwords. The attacks could not be characterized or attributed to a specific source, but there was an obvious potential connection with the deployment for impending operations in Gulf.

After a considerable period of investigation (reported as up to 17 days), involving a wide range of the resources available to the U.S. Government, it was discovered that the attackers were what became known as the Cloverdale Kids, two youths aged 15 and 16 from Cloverdale, California, who operated under the nicknames of Too Short and Makaveli. They had also been given assistance and "mentoring" by a third person, identified as an 18-year-old Israeli youth, Ehud Tenenbaum, who used the nickname of Analyzer.

The reason for giving this example is that an attack, which was considered to have been initiated by a foreign nation and which involved a wide range of the resources available to the United States, was eventually attributed to three youths with the resources and equipment that can be found in the average home. This gives some insight into the level of difficulty we currently face. It is also worth pointing out that if this incident had occurred in almost any other country in the world, the time taken to isolate the perpetrator would probably have been considerably greater. If the attacker had indeed been a foreign power, how much damage could they have caused?

The threat posed both by, and to, commercial organizations or non-terrorist non-government organizations has not, in the past, been considered. In the current environment, however, it has been demonstrated that the potential impact from, and to, these other groups could be much more significant than was previously thought. The threats posed to non-government organizations and the elements of the Critical National Infrastructure have not been considered until recently, because in the past there was no single individual or group that was concerned with or had a sufficient understanding of the problem.

What Is a Threat Agent?

To understand what threat is, it is necessary to identify the separate elements that make up a threat. The elements identified below are not an exhaustive set but have been selected to demonstrate a good cross-section. The characteristics of these elements are as follows:
  1. Natural threats and accidents: This group consists of non-intentional threat agents and includes those natural incidents such as earthquakes, typhoons, naturally occurring fires and floods, and the unintentional actions of humans. They are described separately as natural and accidental.
  2. Malicious threats: This group consists of those threat agents that result from the intentional actions of individuals and groups and have the following characteristics that affect them:
  • Capability
  • Motivation
  • Catalysts
  • Access
  • Inhibitors
  • Amplifiers

Natural and Accidental Threats

These are two relatively well-known and understood groups of threats, and some knowledge of them can be gained from the insurance industry and the actuarial history they retain regarding the effects of earthquakes, fires, wind, water, and lightning. For the second group, accidental damage, there is, again, a wealth of information available within the insurance industry with regard to the likelihood of an accident occurring in the physical domain (i.e., someone dropping a piece of equipment). What cannot be avoided is our inability to accurately predict the incidence of such incidents. Unfortunately, in the electronic environment, with the exception of the cases recorded by Peter G. Neumann in his book, Computer Related Risks, there is little or no documented information that is publicly available for incidents that have occurred in the electronic environment; as a result, there is little that can be gained from any past experiences in this domain.

For this group of natural and accidental threat agents, each type is reviewed in isolation because they have only tenuous links to each other, and the main area of commonality is that they are not planned or directed.

Earthquake

The possibility of damage as a result of an earthquake is largely geographically dependent, but again there is considerable experience and documented case histories in the insurance industry of underwriting this type of event.

More Stories By Andy Jones

Andy Jones is a research group leader at the Security Research Centre for British Telecommunications where he is doing research into the security of information and communication systems.

More Stories By Debi Ashenden

Debi Ashenden is a senior research fellow in information assurance at the Royal Military College of Science, Cranfield University, U.K.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.