Seven Scary Cyber Scenarios

Sunday, May 09, 2010

Richard Stiennon

924ce315203c17e05d9e04b59648a942

Scenario planning is an important tool in the realm of cyber security.  Stakeholder teams are assembled to create plausible scenarios of possible future threats. 

Repercussions are predicted to help quantify risk and justify mitigating investments in technology and changes to policy and operations.

Here are several cyber security scenarios. The scary thing is, they have already  occurred!  While the incidents covered may affect adjacent or even unrelated industries it is advisable that IT security practitioners and other stake holders are aware of the threats posed by the prior occurrence of these scenarios.

These scenarios are the subject of a talk I am giving in Sydney and Melbourne the week of May 10.

Scenario 1. Collateral Damage from Cyberwar.

The Scenario:  Wide spread attacks in conjunction with hostilities between two or more nation states leads to network outages  that spread beyond the geo-political participants.

The reality:  Hosted websites in Atlanta, Georgia suffer when Russia attacks the country of Georgia, August 8, 2008.  Tulip Systems, a hosting provider in Atlanta, graciously offers to host the web sites of President Saakashvlli (president.gov.ge) and the Georgian television station (rustavi2.com). 

A fire hose of DDoS attacks points at Tulip, disrupting traffic for all of its US based customers.

Scenario 2. Political protestors enlist social media to target attacks

The scenario:  activists enlist social media to spread their message and generate crowd-sourced attacks.

The reality.  During the 2009 protests over Iranian election results Twitter users were enlisted in  massive denial of service attacks against government webservers.

While this was the most abject demonstration of how crowdsourcing over social networks can be effective, it also demonstrated that getting people engaged in such attacks is still hard to do. 

It is like getting a stadium crowd to do the “wave.” It takes constant cheer leading to keep up and the first distraction shuts it down.

Scenario 3.  An insider uses privileged access to steal customer data

The scenario: an authorized user gleans credit and financial information and sells it.

The reality:  During the mortgage frenzy of 2006-8 an employee of CountryWide absconds with millions of records and sells the data, loaded on USB devices, to a cyber criminal.

Scenario 4. Malicious Software Updates

The scenario: an attacker delivers software updates that surreptitiously enables a back door in critical information systems.

The reality: The Athens Affair. Over a period of months leading up to July 2005, attackers uploaded components of software to Ericsson phone switches that, when complete, gave them backdoor access which was used to tap the cell phones of 100 officials and diplomats.  

While the purpretrators where never identified it was revealed that the Ericsson software was actually developed in Greece. One of the engineers responsible for the switches was found hung in his apartment.

Scenario 5. Hardware backdoors

The scenario: the supply chain of network equipment is subverted to allow the installation of remote command and control capability.

The reality:  Remember the Clipper Chip?  a Clinton administration attempt to embed backdoors in network equipment that would encrypt traffic but the cryptographic keys would be “escrowed” by the NSA and available for law enforcement.

Thanks in part to the EFF this project died.   There are numerous allegations of secret back doors in various equipment which turns out to be just hype. 

The Chinese vendor, Huewei, has found itself accused of having backdoors in its equipment by India, the US, and the UK.  No evidence has ever surfaced. 

Yet you can always find someone who will share scary stories over a couple of drinks about government tampering with equipment.

So, while possible, and worth worrying about, the world still awaits the discovery of a wide-spread case of back dooring computer equipment.

Scenario 6.  Insider abuse

The scenario: an insider uses his knowledge of IT operations to subvert them to his own purposes.

The reality: the multi-billion trading losses at Societe Generale. In January, 2008 it was discovered that Gerome Kerviel, a securities trader at Societe Generale had used his knowledge of back office operations, gained while working as an IT guy, to skirt internal controls and cover his heavy losses ($7.1 billion).

The timing of the announcement was devastating to the markets just when they were most vulnerable.

Scenario 7.  State sponsored spying

The scenario: state sponsored email corruption leads to data loss and even endangering the lives of employees.

The reality:  An infiltration of 1,200 networks of foreign offices and State Department facilities implicates diplomats and knowledge workers. 

As documented in the GhostNet report, the Dalai Lama’s office was infiltrated by hackers, apparently from China, who acted on the knowledge gained to harass a Tibetan worker. 

The deeper the researchers from SecDev dig the more damaging material they are finding. See their latest report here.

What does this mean?

It is hard to propose a cyber security scenario that has not already occurred somewhere in the world. 

While doomsday scenarios of economic devastation and complete loss of critical infrastructure for extended periods is highly unlikely it is still important to be cognizant of past incidents and thus become better armed to think about how these scenarios could play out in your own organization.

8778
General Enterprise Security Security Awareness Breaches
Post Rating I Like this!
Ab88d8ddf1923e0c2c98c3534eef982b
Clement Dupuis As far as software updates are concerned, you do not need any hackers to do this, we do it very well on our own.

Take for example the update from Microsoft that crashes Windows XP that came out a couple weeks ago.

Take for example the virus update from a major antivirus vendor that affected systems.

Those are just two examples and there are many more. Proper lab testing is a must for any software update or else we do not need any hackers we do it very well on our own.

Best regards

Clement
1273465266
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.