II.

Evaluating risk

“Risk” is a key concept in cybersecurity. Some people define cybersecurity risk as A + T + V = risk. In the above equation, A stands for asset, T stands for threat and V stands for vulnerability.

  • Asset: An asset is whatever can be considered sensitive data, or provide access to such data. It can be your private information, a device or a component of a system that is seen as valuable.

  • Threat: The threat can be a malicious hacker, a criminal, or an insider stealing information, but a threat can also be accidental such as a technical malfunction or a user error that can cause risk to the data (asset).

  • Vulnerability: A vulnerability is a flaw that can destroy, damage or compromise the asset. With software, a vulnerability is usually a flaw in the program code (a bug) or a flaw in the way the program discloses or allows access to data.

The ISO 27000 family of standards for information security adds impact to the definition. The point of also assessing impact is to prioritise the risks. For example, a risk with a high probability but with a really low impact could be prioritised lower on the list of risks – instead focussing on a risk with low probability but a really high impact. Adding impact to the definition and rewriting the equation as V x T x I = risk accounts for the multiplicative nature of risk assessment.

The ISO 27000 family of standards are the most common standards used by companies in Europe. They suggest best practices for managing information security, usually within the context of an information security management system (ISMS).

The ISO 9000 series defines a set of standards for quality assurance and quality management and provides a larger framework that many companies strive to implement.

Example

If we think about real-life parallels, an asset is something valuable in your home like a new TV, a vulnerability is like an unlocked door, and a threat is a criminal who takes advantage of the vulnerability, resulting in the theft of your TV, the impact.

An online example would be using a weak password (vulnerability) to protect your Facebook account (asset) from someone who wants to log in and steal your identity (threat). The impact in this case is the loss of your account and the information it contains.

In both of these cases, we have a risk that only exists because there is an asset, a vulnerability, a threat and an impact.

It’s also good to keep in mind that a vulnerability is not necessarily an unintended flaw such as an unlocked window, but can be a consciously created weakness that, with computers, is commonly called a backdoor.

The types of vulnerabilities

There are many different kinds of vulnerabilities and they cover a wide range of targets and methods. A vulnerability can be, for example, a poorly implemented access control, insufficient input handling or an exploitation of a known weakness in a computer chip. A generic classification for these kinds of vulnerabilities is hard to define. One classification can be found from the ISO 27005 standard. It classifies vulnerabilities based on the asset.

  • Hardware

    • Susceptibility to humidity or dust

    • Susceptibility to unprotected storage

    • Age-based wear that causes failure

    • Overheating

  • Software

    • Insufficient testing

    • Insecure coding

    • Lack of audit trail

    • Design flaw

  • Network

  • Personnel

  • Physical site

    • Area subject to natural disasters (like floods or earthquakes)

    • Interruption of power source

  • Organisational

    • Lack of regular audits

    • Lack of continuity plans

    • Lack of security

It’s important to understand that humans are the source of a surprisingly large number of vulnerabilities. Methods such as social engineering (tricking someone into divulging information) are sometimes the easiest ways of gaining access to confidential or secret information. The vulnerabilities in the classification also show that not all vulnerabilities are caused by someone exploiting them – some are also natural. Earthquakes, floods and other natural disasters can cause loss of information, which can be as critical as the theft of confidential information if backup procedures are not in place and working.

We will be covering some of the vulnerability types during this course, but as there are so many specific types, we will inevitably miss some of them. To see more information about different types of vulnerabilities, see this example.

Image of laptop with backdoor open on rear side of the screen

Backdoors

According to Microsoft, a backdoor is “a hidden entrance to a computer system that can be used to bypass security policies.”

You can think of a backdoor as an open window in an otherwise locked building, or a spare key left hidden in a flower pot. It lets you get around other mechanisms used to secure the target, often without leaving a trace of the break-in. A backdoor relies on unauthorised users not finding it.

Some systems and services come with default users with known passwords and these can be left active by accident, leaving the system vulnerable to attackers. These are different from a well-protected administrative account as the password in this case is not common knowledge.

Hardware backdoors

Backdoors are not necessarily applied just to applications. They can be installed on hardware such as the computer's motherboard.

It’s also possible to circumvent tech vendors if the whole supply chain is not monitored well enough. If the company doesn’t control the whole supply chain, an entity can insert a backdoor at a weak point in the chain without the manufacturer ever noticing. These kinds of backdoors are called supply chain backdoors. This is not just a theoretical problem either – the US National Security Agency has actually already installed a backdoor that way.

In the “Microsoft Digital Defense Report, September 2020”, Microsoft evaluates that 7% of their security notifications relate to supply chain attacks.

Example

Supply chain attacks don’t just happen to hardware. Possibly an even more damaging method is to breach a company’s services and alter the software updates they deliver to their users. One such attack was revealed during December 2020 when SolarWinds (a company mainly delivering network management solutions) had their services breached and their software was modified to include a backdoor allowing the attacker, or anyone who knew where to look, to gain access to all the companies that installed the update. At SolarWinds admission, the update was installed by “almost 18,000” companies.

The most notable of these companies, and many suspect the real targets, were most US government agencies and their networks. The US Department of Defense was also among the victims. The attack is believed to have originated from a Russian APT group called Cozy Bear, although attribution is still uncertain.

The problem with backdoors

The main problem with a backdoor is that it relies on its existence being secret. This is called security through obscurity. If an attacker discovers the backdoor, they can use it just as an authorised user can. There’s currently a lot of push from governments and the intelligence agencies against tech companies to install backdoors in their technologies to allow authorities access during criminal investigations or for the purpose of preventing terrorist attacks. However, if these backdoors were to be installed, they most likely would be discovered by unauthorised people as well and become a huge privacy risk.

Note

What can I do about backdoors?

Defending yourself against the existence of a backdoor is really hard if you never even know if one exists. You can, however, make sure you change the default credentials on devices such as Wi-Fi routers. You should also disable guest accounts that some operating systems allow you to have.

Threat modelling: thinking about your risk

Professionals in security use different risk assessment methods to define and assess the potential of a risk and how large the impact is if the risk happens. In cybersecurity, professionals often talk about threat modelling. This is the practice of identifying and prioritising potential threats and mitigations to protect something of value – an asset like confidential data or intellectual property.

One often used threat modelling framework is the Microsoft developed STRIDE. STRIDE is a mnemonic for the terms:

  • Spoofing – impersonating something or someone else

  • Tampering – modifying data or code

  • Repudiation – claiming to have not performed an action

  • Information disclosure – exposing information to someone not authorised to see it

  • Denial of service – deny or degrade service to users

  • Elevation of privilege – gain capabilities without proper authorisation

These are all possible threats in the model that are assessed for the possible attack vectors. Attack vectors are the different identified processes, data stores, interfaces and trust boundaries of a system. STRIDE is part of Microsoft Secure Development Lifecycle (SDL) threat modelling. Read more about STRIDE.

Part summary

After completing chapter 1, you should be able to:

  • explain the basics of cybersecurity including what it means and why it’s important

  • explain what a hacker is

  • understand what “risk” means in terms of cybersecurity

You reached the end of Chapter 1

Correct answers

0%

Exercises completed

0/0

Next Chapter
II. Identity and privacy