Who, from the perspective of an IT infrastructure, are internal attackers and external attackers? Internal attackers are commonly linked to disgruntled employees, contractors, or third-party users who, for whatever reason, have lost respect and integrity for the organization, including its IT infrastructure and its assets. External attackers are commonly linked to one of numerous attacker profiles or types. Figure 6.1 depicts a typical IT infrastructure and the domain between inside and outside threats.
Figure 6.1. Internal vs. external human threats to an IT infrastructure.
Which of the Two Attacker Types Is Potentially More Damaging to the Organization?
It is potentially more damaging to have an attack caused from inside versus outside because that typically means the inside attack was conducted by an employee or individual who has or can obtain access to mission-critical IT systems, resources, and data. More threatening is if the employee was an IT professional with access rights and privileges to the organization's mission critical IT servers, resources, and data. Because of this internal threat caused by IT employees, organizations must have the appropriate Acceptable Use Policies (AUPs) and Confidentiality Agreements in place with key IT personnel who have access to confidential or sensitive IT systems, resources, or data. In addition, human resource procedures and guidelines must be adhered to, especially if an IT employee is to be fired or terminated by the organization. The disgruntled employee situation, along with other human factors and issues, is a serious threat to organizations and IT infrastructures and their assets. This is why conducting thorough background and reference checks for IT employees is a critical and necessary step in the hiring process for many organizations.
Attackers, whether they are internal or external to an organization, are the threat to known or unknown vulnerabilities that can be exploited in an IT infrastructure.
Definition of Threat by National Information System Security Conference
"A threat is any circumstance or event with the potential to adversely impact a system through"
Unauthorized access This is when the attacker does not have authorization or permission to access an organization's IT infrastructure and IT assets. Unauthorized access may very well carry a criminal charge, depending on what was compromised and if any monetary damage or loss of productivity was encountered by the targeted victim.
Destruction or damage After the attacker has completed the initial probing and scanning and has gained access to an IT system or application, the attacker can escalate its user privileges and destroy or damage data assets of the organization after access has been obtained on mission-critical IT systems, resources, and servers.
Disclosure of confidential information After the attacker has completed the initial probing and scanning and has gained access to an IT system or application, the attacker can access and disclose confidential information to a competitor to damage the organization or collect a payoff if the attacker had monetary motivation.
Modification or alteration of data After the attacker has completed the initial probing and scanning and has gained access to the IT system, resource, or application, the attacker can escalate its user privileges and modify or alter the data assets of the organization, thus causing monetary damage and loss of data to the organization.
Denial of Service (DoS) A DoS attack is when the attacker renders production TCP/IP host computers useless or unavailable through the transmission of bogus and invalid packet-sized ICMP echo requests (Ping), SYN flood attacks, or invalid packet transmissions. These invalid or bogus transmissions, in turn, cause a flood of retransmissions between the source and destination IP devices, thus absorbing CPU utilization and resources on the targeted IP device and bandwidth on the network.
By understanding more about the attackers, the risk and vulnerability assessor can "think like an attacker." In the next section, attacker types and their characteristics are presented. This knowledge helps the IT security professional understand who attackers are and how best to combat the kinds of attacks that they commonly engage in.
Attacker Types and Their Characteristics
Many terms and adjectives are used to describe an attacker of an IT infrastructure and its assets. Each type of attacker has a unique profile description along with unique and differentiating characteristics. These profile definitions along with differentiating characteristics are presented next:
Who Are the Greatest Threat?
The greatest threat to an organization and its IT infrastructure and assets are its internal employees, contractors, and third-party users who have access to the organization's IT infrastructure and its assets. Providing access rights and privileges to internal employees who work with the organization's confidential data and information potentially represents the largest exposure to risk, hence the need for proper human resource procedures when hiring and employing personnel who will be accessing confidential systems and data. Proper background checks, AUPs, and confidentiality agreements must be done for new employees or IT employees who will have access to confidential systems and data. These instruments are the only protection an organization has to prevent an attack made by an internal employee or worse, an internal IT employee. The disgruntled employee represents the single greatest threat to an organization, although the more popular or media-covered security breaches are typically initiated from external attackers.
Insecure Computing Habits Are a Threat
The second greatest threat to an organization and its IT infrastructure and assets are its employees' insecure computing habits. These insecure computing habits typically include the following:
Disgruntled Employees Are a Threat
The third greatest threat that an organization may face may be the result of poor firing and termination procedures for employees, and more importantly, IT employees. Many security breaches, both reported and unreported, originate internally to the organization, are perpetrated by current or former employees, and are often undetected because of weak or inefficient human resource procedures and guidelines for the firing and termination of employees. This is particularly important if IT personnel are fired and terminated, with or without cause, or if the employee was slighted a well-deserved promotion, or if other circumstances occur that may lead an employee to lose respect and integrity for the employer. By the time the IT manager or department notifies human resources of the employee termination and human resources notifies the IT manager or department that it was done, the attack could have already happened. In some organizations, it takes days or even weeks before a configuration move, add, or change request is completed, depending on the backlog of trouble tickets and access control procedures; or they get lost and access is never removed until an audit uncovers this loose end.
Organizations must implement proper security controls regarding the deletion of inactive user accounts and access privileges by the appropriate human resources and IT personnel as a final step. Without proper security controls and procedures, such as immediate removal of all access rights and privileges to company-owned IT resources, systems, and applications, an organization may be subject to one of the following threats caused by a disgruntled IT employee:
Introduction to Assessing Network Vulnerabilities
Foundations and Principles of Security
Why Risk Assessment
Scoping the Project
Understanding the Attacker
Performing the Assessment
Tools Used for Assessments and Evaluations
Preparing the Final Report
Appendix A. Security Assessment Resources
Appendix B. Security Assessment Forms
Appendix C. Security Assessment Sample Report
Appendix D. Dealing with Consultants and Outside Vendors
Appendix E. SIRT Team Report Format Template