A vulnerability is a weakness in a system, system security procedure, internal controls, or implementation that could be exploited by a threat source. Vulnerabilities leave systems susceptible to a multitude of activities that can result in significant and sometimes irreversible losses to an individual, group, or organization. These losses can range from a single damaged file on a laptop computer or mobile device to entire databases being compromised at an operations center. With the right tools and knowledge, an adversary can exploit system vulnerabilities and gain access to the information stored on them. The damage inflicted on compromised systems can vary depending on the threat source.

A threat source can be adversarial or non-adversarial. Adversarial threat sources are individuals, groups, organizations, or entities that seek to exploit an organization’s dependence on cyber resources. Even employees, privileged users, and trusted users have been known to defraud organizational systems. Non-adversarial threat sources refer to natural disasters or erroneous actions taken by individuals in the course of executing their everyday responsibilities.

Fraud and Theft

Systems can be exploited for fraud and theft by “automating” traditional methods of fraud or by introducing new methods. System fraud and theft can be committed by insiders (i.e. authorized users) and outsiders. Authorized system administrators and users with access to and familiarity with the system (e.g., resources it controls, flaws) are often responsible for fraud. Former employees also pose a threat given their knowledge of the organization’s operations, particularly if access is not terminated promptly.

Financial gain is one of the chief motivators behind fraud and theft, but financial systems are not the only systems at risk. There are several techniques that cybercriminals use to gather information they would otherwise not have had access to. Some of these techniques include:

Social Media: Social media (e.g., Facebook, Twitter, LinkedIn) has allowed cybercriminals to exploit the platform to conduct targeted attacks. Using easily-made, fake, and unverified social media accounts, cybercriminals can impersonate co-workers, customer service representatives, or other trusted individuals in order to send links to malicious code that steal personal or sensitive organizational information.

Social Engineering: In the context of Information Security, social engineering is a technique that relies heavily on human interaction to influence an individual to violate security protocol and encourages the individual to divulge confidential information. These types of attacks are commonly committed via phone or online. Attacks perpetrated over the phone are the most basic social engineering attacks being committed. For example, an attacker may mislead a company into believing the attacker is an existing customer and have that company divulge information about that customer.

Advanced Persistent Threat (APT): A set of stealthy and continuous computer hacking processes, often orchestrated by a person or persons targeting a specific entity. APTs generally target private organizations, states, or both for business or political motives. APT processes require a high degree of covertness over a long period of time. “Advanced” signifies sophisticated techniques using malware to exploit vulnerabilities in systems. “Persistent” suggests an external command and control system is continuously monitoring and extracting data from a specific target. “Threat” indicates human involvement in orchestrating the attack.

Insider Threat

Employees can represent an insider threat to an organization given their familiarity with the employer’s systems and applications as well as what actions may cause the most damage, mischief, or disorder. Employee sabotage—often instigated by knowledge or threat of termination—is a critical issue for organizations and their systems. In an effort to mitigate the potential damage caused by employee sabotage, the terminated employee’s access to IT infrastructure should be immediately disabled, and the individual should be escorted off company premises.

Examples of system-related employee sabotage include, but are not limited to:

• Destroying hardware or facilities;
• Planting malicious code that destroys programs or data;
• Entering data incorrectly, holding data, or deleting data;
• Crashing systems; and
• Changing administrative passwords to prevent system access.

Malicious Hackers and Their Motivations

Malicious hacker is a term used to describe an individual or group who use an understanding of systems, networking, and programming to illegally access systems, cause damage, or steal information. Understanding the motivation that drives a malicious hacker can help an organization implement the proper security controls to prevent the likelihood of a system breach.

Attackers: Attackers break into networks for the thrill and challenge or for bragging rights in the attacker community. While remote hacking once required considerable skills or computer knowledge, attackers can now download attack scripts and protocols from the Internet and launch them against victim sites.

Bot-Network Operators: Bot-network operators assume control of multiple systems to coordinate attacks and distribute phishing schemes, spam, and malicious code. The services of compromised systems and networks can be found in underground markets online (e.g., purchasing a denial of service attack, using servers to relay spam, or phishing attacks).

Criminal Groups: Criminal groups seek to attack systems for monetary gain. Specifically, organized crime groups use spam, phishing, and spyware/malicious code to commit identity theft and online fraud. International corporate spies and organized crime organizations also pose threats to the Nation based on their ability to conduct industrial espionage, large-scale monetary theft, and the recruitment of new attackers. Some criminal groups may try to extort money from an organization by threatening a cyberattack or by encrypting and disrupting its systems for ransom.

Foreign Intelligence Services: Foreign intelligence services use cyber tools as part of their information gathering and espionage activities. In addition, several nations are aggressively working to develop information warfare doctrines, programs, and capabilities. Such capabilities enable a single entity to have a significant and serious impact by disrupting the supply, communications, and economic infrastructures that support military power—impacts that could affect the daily lives of U.S. citizens.

Phishers: Phishers are individuals or small groups that execute phishing schemes to steal identities or information for monetary gain. Phishers may also use spam and spyware/malicious code to accomplish their objectives.

Spammers: Spammers are individuals or organizations that distribute unsolicited e-mail with hidden or false information to sell products, conduct phishing schemes, distribute spyware/malicious code, or attack organizations (e.g., DoS).

Spyware/Malicious Code Authors: Individuals or organizations who maliciously carry out attacks against users by producing and distributing spyware and malicious code. Destructive computer viruses and worms that have harmed files and hard drives include the Melissa Macro Virus, the Explore.Zip worm, the CIH (Chernobyl) Virus, Nimda, Code Red, Slammer, and Blaster.

Terrorists: Terrorists seek to destroy, incapacitate, or exploit critical infrastructures to threaten national security, cause mass casualties, weaken the U.S. economy, and damage public morale and confidence. Terrorists may use phishing schemes or spyware/malicious code to generate funds or gather sensitive information. They may also attack one target to divert attention or resources from other targets.

Industrial Spies: Industrial espionage seeks to acquire intellectual property and know-how using clandestine methods.

Non-Adversarial Threat Sources and Events

Errors and Omissions: Errors and omissions can be inadvertently caused by system operators who process hundreds of transactions daily or by users who create and edit data on organizational systems. Errors by users, system operators, or programmers may occur throughout the life cycle of a system and may directly or indirectly contribute to security problems, degrade data and system integrity. Software applications, regardless of the level of sophistication, are not capable of detecting all types of input errors and omissions. Therefore, it is the responsibility of the organization to establish a sound awareness and training program to reduce the number and severity of errors and omissions.

Loss of Physical and Infrastructure Support: The loss of supporting infrastructure includes power failures (e.g., outages, spikes, brownouts), loss of communications, water outages and leaks, sewer malfunctions, disruption of transportation services, fire, flood, civil unrest, and strikes. A loss of supporting infrastructure often results in system downtime in unexpected ways. For example, employees may not be able to get to work during a winter storm, although the systems at the work site may be functioning as normal.

Information Sharing and the Impacts to Personal Privacy: The accumulation of vast amounts of personally identifiable information by government and private organizations has created numerous opportunities for individuals to experience privacy problems as a byproduct or unintended consequence of a breach in security.

Individuals’ voluntarily sharing PII through social media has also contributed to new threats that allow malicious hackers to use that information for social engineering or to bypass common authentication measures.

Organizations may share information about cyber threats that includes PII. These disclosures could lead to unanticipated uses of such information, including surveillance or other law enforcement actions.

To  learn more, download our free Cybersecurity eBook.