When designing security it is important to understand what you are attempting to protect as well as what you are protecting against. What you are protecting are your assets and business processes. An asset is anything used in a business task. Without assets your organization could not function and would not exist. Your business processes are the activities performed to accomplish your mission or goals as well as providing products or services to your customers. What you are protecting against are the threats that could harm your assets or interrupt your business tasks.
Listed below are six concepts of types of threats might not represent all possible concerns, but they do represent the majority of issues that need to be taken seriously when designing a security policy and implementing a security solution.
- Internal vs. External
Some threats are internal, while others are external. It is tempting to assume that most of your threats are from external enemies. However, at least half of security breaches are caused by internal personnel. Thus, it is essential to evaluate the risk of employees and outsiders to your organization.
- Intentional vs. Accidental
Intentional attacks are waged to seek revenge, right a perceived wrong, push forward a cause, interrupt a business task or event, disclose information for shame, gather assets to sell or just for entertainment. Accidental security breaches are mostly caused by internal personnel who mistakenly cross a security line while performing work tasks or who fail to take security precautions either at work or during personal time. Accidental security violations may be without malice, but they can still be devastating to an organization.
Some threats are specifically targeted, while others find targets at random. Your organization may be in the cross hairs of any number of groups wishing to cause harm. These groups may plot and scheme to craft an attack that will grant them access to your specific assets or otherwise bring harm to your organization. However, it is also possible that as hackers seek out targets across the Internet, they may stumble across your network. Thus, your company may be attacked simply because your IP address revealed a potentially vulnerable target. This could be considered a random attack or an opportunistic attack.
- Local vs. Remote
Some threats are local, while others are remote. Local threats are those within your building. This can include standard employees, but can also include consultants, contractors, family members or other on-site visitors. Local threats can also include portable storage devices or downloaded malicious code. Remote threats are those controlled and/or initiated by external entities. This would include any form of remote control attacks, including session hijacking and man-in-the-middle exploitations.
- Technological, Physical or Social
Some threats are technological, some are physical and others are social based. Technological threats are any form of attack that uses technology to further the compromise. This includes malicious code, remote control exploits, cracking passwords, compromising authentication, cracking encryption, stealing encryption keys, digital impersonation, man-in-the-middle attacks, buffer overflows, SQL injection and many, many more. Physical threats are those related to physical theft or breaking into a building. They can include vandalism, taking photos of sensitive information or locations and altering physical security mechanisms. Social-based threats are any attacks focusing on your employees. This type of threat is generally labeled by the phrase social engineering. These personnel attacks can occur face to face, over the phone or through any means of digital communication.
- New and Unknown
Some threats are new and unknown, while others have existed for a long period of time and are well known. The threat from the unknown is the most disconcerting, as we don’t know what form the attack will take, when it will occur, what it will target, what type of damage or harm will occur or how extensive will the damage be. New attacks and exploits are constantly being crafted by malicious hackers. But while the threat of new and unknown exploits is real, it is far more likely that your organization will be attacked using a well-known threat. A majority of malicious and mischievous hackers do not have access to new and unknown exploits, rather they have access to the plethora of existing attacks and compromises. Thus, it is important to defend against the known while preparing for the unknown.
Both top-level executives and IT security officers need to assess the risk and likelihood of each of these threat forms.
Often, the leaders of an organization and the engineers of an organization will have different experiences, viewpoints, knowledge and priorities in relation to these threat concepts. Make the effort to openly discuss each of these six threat concepts (along with any others you are aware of). Consider how much of a threat each of these ideas represents to your organization and decide on a plan of response in order to develop a more resilient security solution for your organization.