Fri Apr 8 06:47:17 PDT 2016
Risk Management: Threats: What threats have been identified, what are their characteristics and relevant history?
Identify the relevant threats from the table and/or alter as
necessary. Identify known examples for the enterprise, other similar
enterprises, and the general public.
Employees, board members, and other internal team members who
have legitimate access to information and/or information technology.
Complexity: Insiders typically have special knowledge of internal controls
that are unavailable to outsiders, and they have some amount of access. In
some cases, they perform only authorized actions - as far as the information
systems have been told. They are typically trusted and those in control often
trust them to the point where placing internal controls against their attacks
are considered offensive.
People who enjoy using computers and exploring the information
infrastructure and systems connected to it.
Complexity: While not generally malicious, these people tend to gather and
exploit tools that open holes to other attackers. They also sometimes make
mistakes or become afraid and feel they have to cover their tracks, thus
causing incidental harm.
People who maliciously break into information systems and
intentionally cause harm in doing so.
Complexity: These people have tools similar to those of hackers, but they
use these tools for malicious purposes and can sometimes cause a great deal
of harm. They are often bold, and often exploit indirect links to make it
hard to trace them back to their source.
People who break into information systems as part of a ceremony
to become members of clubs.
Complexity: Club initiates commonly use copy-cat attacks with minor
modifications. A typical example includes writing minor variants on viruses
that bypass a known virus detector.
Groups who roam the information infrastructure breaking into systems
and doing harm for fun and profit.
Complexity: These groups are generally willing to exploit commonly known
attacks as well as an occasional novel attack. Perception management and
dumpster diving are some of their favorite tools. They are often emboldened by
People hired to demonstrate vulnerabilities in systems by
exploiting those vulnerabilities.
Complexity: These people are usually honest, but sometimes they are not. In
addition, they often fail to properly repair the systems they try to break
into, thus leaving residual vulnerabilities. Their skills vary widely, from
rank amateur using off-the-shelf software - to true experts with a high
degree of sophistication. It is often hard to tell which is which unless you
are an expert.
People who typically have access to physical locations in order
to do routine maintenance tasks.
Complexity: Maintenance people commonly introduce viruses by accident. They
often have far more physical access than even highly trusted employees, they
are often allowed in sensitive areas alone and at off-hours, they are usually
poorly paid and assumed to have little knowledge, and they are often trusted
with items of high value.
People who make their living from stealing things.
Complexity: Professional thieves typically use the best tools they can find,
practice ahead of time for major thefts, and use highly coordinated efforts
to achieve their goals. They have historically tended toward physical means,
but this may be changing.
People who hurt other people in order to get what they want.
Complexity: They often extract information in a brutish way, exploiting
human frailty and family relationships rather than technical means.
People who damage things for the fun of it.
Complexity: Vandals typically use the path of least resistance, fear being
caught, and rapidly flee the scene of the crime.
People who believe in a cause to the point where they take
action in order to forward their ends.
Complexity: These people can be extremely zealous - even when they are
misdirected. They often consider one viewpoint to the exclusion of all
others, try to maximize harm to their victim without regard to competitive
issues or personal gains, and typically use physical means - sometimes with
the additional element of publicity as part of their motive.
Private individuals or corporate entities that investigate on a
Complexity: Investigators are willing to do a substantial amount of targeted
work toward accomplishing their goals, in some cases they may be willing to
violate the law, they often have contacts in government and elsewhere that
provide information not commonly available, and they commonly use bribes of
one form or another to advance their ends.
crackers for hire:
Crackers who get paid to break into systems and do harm.
Complexity: These people combine technical skills, tools, and money, and
can be quite successful, hard to trace, and difficult to defend against.
People who are not as in control over their mental faculties as
most other people.
Complexity: The sky is the limit with a person who doesn't act rationally.
The danger is heightened when combined with other threat elements.
Organized groups of professional criminals.
Complexity: These people tend to have money (but usually don't want to spend
it on information system attacks), use physical threats to get what they
want, and exploit human weaknesses.
Groups that combine forces in order to manufacture and sell
Complexity: These groups typically have a lot of money and are willing to
spend it in order to get what they want. They typically want to launder
money, eliminate competition, retain control over their dealer networks, and
keep law enforcement away. They use violence and physical coercion easily.
People who attempt to induce terror in others in order to forward
industrial espionage experts:
People who specialize in harming companies to the benefit of
Complexity: These people tend to be highly skilled, well paid, and stealthy.
They tend to use subtle techniques rather than brute force.
foreign agents and spies:
People who professionally gather information and commit
sabotage for governments.
Complexity: These people are highly trained, highly funded, backed by
substantial scientific capabilities, directed toward specific goals, and
skillful at avoiding detection. They can be very dangerous to life and
People tasked with enforcing laws.
Complexity: These people often have powers of search and seizure, are
usually poorly paid, wield guns, have powers of arrest, and in much of the
world are easily corrupted. They tend to use physical means.
Groups that work as parts of government.
Complexity: These groups are highly funded, often made up largely of
professionals, they commonly have indirect powers of search and seizure,
sometimes wield guns, have indirect powers of arrest, and in much of the
world are easily corrupted. They often use highly sophisticated means.
People who specialize in destroying enemy infrastructure.
Complexity: These groups typically have access to accurate weapons and high
explosives, they are oriented toward causing serious physical harm, often
have the goal of causing permanent harm, do not hesitate to kill people, and
act at the behest of governments, and with their full and open support.
People who work for newspapers, news magazines, television,
radio, or other media elements.
Complexity: Reporters often gain access that others do not have, often use
misleading cover stories or false pretenses, commonly try to become friendly
with insiders in order to get information, and have extraordinary power to
publicly punish what they perceive to be or can construe as misdeeds.
Companies, groups, and governments that compete on a large
scale with your companies, groups, and governments.
Complexity: While economic rivals are usually merely competitive, sometimes
they become rather extreme in their desire for technical information and
attack in order to gain technical expertise. They tend to be well funded,
have a lot of expertise, and typically operate from locations which provide
legal cover for their actions.
National governments - countries.
Complexity: When countries decide to attack other countries in the
information arena, they often use stealth to try to provide for plausible
deniability, however this is not always the case, and they often fail to
achieve true anonymity. Responses may lead to escalation - and in some
cases - escalation can lead to full-scale war.
Global groups that work together toward common goals.
Complexity: Global coalitions - of corporations, groups, countries, cartels,
and other bodies - combine their forces to increase their impact and make
it harder to fight them off.
Government-sponsored armed and organized groups.
Complexity: Militaries tend to blow things up, however, in the more advanced
military organizations, information is exploited to maximize their advantage
and neutralize opponent capabilities. Physical destruction is often avoided
in order to preserve infrastructure used after the conflict has ended. They
tend to have and use exotic as well as every-day capabilities.
Privately-sponsored armed and organized groups.
Complexity: Paramilitary groups, malicious, and similar organizations tend to
be poorly funded and oriented toward physical destruction.
People who specialize in attacking information systems as
part of government-sponsored military operations.
Complexity: Information warriors may use any or all of the known techniques
as well as techniques developed especially for their use and kept secret in
order to attain military advantage. They tend not to kill people
People who extort money or goods by threatening harm if not
Complexity: Extortion is commonly used to get money in exchange for not
causing harm. It is closely related to kidnaping.
Things fall apart. Stuff happens. Nature calls. People die.
Complexity: Most natural phenomena can be characterized by statistics and
dealt with using probabilistic techniques.
People who work under their own control to provide contract
services to others.
Complexity: Consultants often have insider access but are not controlled as
are insiders. Technical consultants who use client information technology
present a technical threat, while management consultants who often have
access to more of the more sensitive information in a company presents a
People who sell things to you.
Complexity: Vendors are often in competition with each other over sales and
with you over pricing and terms. They tend to be in long-term relationships
and often work closely with your people. Their economic motives are often
not aligned with yours and in some cases, they take advantage of information
in order to gain economic advantage in negotiations.
People who you buy things from.
Complexity: Customers are often in competition with you over pricing and
terms. Their economic motives are often not aligned with yours and in some
cases, they take advantage of information in order to gain economic advantage
in negotiations. In some cases, customers have worked their way into
companies, extracted information, taken over their suppliers' businesses by
taking advantage of the knowledge gained through their interactions.
People who defraud others.
Complexity: Throughout the centuries, people have perpetrated frauds of
all sorts in order to gain through taking advantage of others.
Other individuals or companies in the same or similar businesses
and who stand to gain from your loss or who can gain economic advantage by
taking advantage of you.
Complexity: Competitors are commonly perceived as an economic threat, but in
large businesses, they are often collaborators on some projects and
competitors on others. As a result, information technology is often used to
provide access for some purposes. It can be quite tempting to exploit this
access and these relationships in competitive areas.
People who believe that crimes are being committed and that they
have a duty to report them to the proper authorities.
Copyright(c) Fred Cohen, 1988-2015 - All Rights Reserved
Complexity: Whistle blowers are often sincere in their beliefs, have insider
access, and sometimes have legitimate cases.