Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
80 A P P E N D I X A Categorized List of Cybersecurity Threats Category Name Description Confidentiality Breach Compromise of encryption material Adversary able to gain access to encryption keys. Release of personally identifiable information (PII) Intentional or unintentional release of PII. Counterfeit Hardware Compromise of design, manufacture, and/or distribution of information system components (including hardware, software, and firmware) Adversary compromises the design, manufacture, and/or distribution of critical information system components at selected suppliers. Counterfeit or tampered-with hardware into the supply chain Adversary intercepts hardware from legitimate suppliers. Adversary modifies the hardware or replaces it with faulty or otherwise modified hardware. Data Breach Compromise of organizational information systems to facilitate exfiltration of data/information Adversary implants malware into internal organizational information systems, where the malware over time can identify and then exfiltrate valuable information. Delayed Technology Refresh Resource depletion Degraded processing performance due to resource depletion. Unreadable display Display unreadable due to aging equipment. Denial of Service (DoS) Distributed denial of service (DDoS) attacks Adversary uses multiple compromised information systems to attack a single target, thereby causing denial of service for users of the targeted information systems. Simple DoS attack Adversary attempts to make an Internet- accessible resource unavailable to intended users or prevent the resource from functioning efficiently or at all, temporarily or indefinitely. Targeted DoS attacks Adversary targets DoS attacks to critical information systems, components, or supporting infrastructures, based on adversary knowledge of dependencies. Host Exploit Poorly configured or unauthorized information systems exposed to the Internet Adversary gains access through the Internet to information systems that are not authorized for Internet connectivity or that do not meet organizational configuration requirements. Wireless jamming attacks Adversary takes measures to interfere with wireless communications so as to impede or prevent communications from reaching intended recipients. Inadequate Monitoring of Proximity Events Events occurring to any critical infrastructure near the airport like railroad, subway, or chemical storage Failure to monitor any events in the proximity of an airport that may cause indirect damage or disruption in airport services. Ineffective Disposal Obtaining information by opportunistically stealing or scavenging information systems/components Adversary steals information systems or components (e.g., laptop computers or data storage media) that are left unattended outside of the physical perimeters of organizations or scavenges discarded components. Following is a categorized list of threats that may affect airport data and systems.
Categorized List of Cybersecurity Threats 81 Category Name Description Ineffective Testing Introduction of vulnerabilities into software products Due to inherent weaknesses in programming languages and software development environments, errors and vulnerabilities are introduced into commonly used software products. Reverse engineering An attacker discovers the structure, function, and composition of an object, resource, or system by using a variety of analysis techniques to effectively determine how the analyzed entity was constructed or operates. The goal of reverse engineering is often to duplicate the function, or a part of the function, of an object in order to duplicate or âback engineerâ some aspect of its functioning. Reverse engineering techniques can be applied to mechanical objects, electronic devices or components, or to software, although the methodology and techniques involved in each type of analysis differ widely. Software integrity attacks An attacker initiates a series of events designed to cause a user, program, server, or device to perform actions which undermine the integrity of software code, device data structures, or device firmware, achieving the modification of the target's integrity to achieve an insecure state. Software reverse engineering An attacker discovers the structure, function, and composition of a type of computer software by using a variety of analysis techniques to effectively determine how the software functions and operates or if vulnerabilities or security weaknesses are present within the implementation. Reverse engineering methods, as applied to software, can utilize a wide number of approaches and techniques. Insider Threat Coordinate a campaign of continuous, adaptive, and changing cyberattacks based on detailed surveillance Adversary attacks continually change in response to surveillance and organizational security measures. Coordinate a campaign that combines internal and external attacks across multiple information systems and information technologies Adversary combines attacks that require both physical presence within organizational facilities and cyber methods to achieve success. Physical attack steps may be as simple as convincing maintenance personnel to leave doors or cabinets open. Coordinate cyberattacks using external (outsider), internal (insider), and supply- chain (supplier) attack vectors Adversary employs continuous, coordinated attacks, potentially using all three attack vectors for the purpose of impeding organizational operations. Insert of subverted individuals into organizations Adversary places individuals within organizations who are willing and able to carry out actions to cause harm to organizational missions/business functions. Insert of subverted individuals into privileged positions in organizations Adversary places individuals in privileged positions within organizations who are willing and able to carry out actions to cause harm to organizational missions/business functions. Insider-based social engineering to obtain information Internally placed adversary takes actions (e.g., using email, phone) so that individuals within organizations reveal critical/sensitive information (e.g., mission information). Vulnerabilities exploited by leveraging internal organizational information systems Adversary searches for known vulnerabilities in organizational internal information systems and exploits those vulnerabilities. (continued on next page)
82 Guidebook on Best Practices for Airport Cybersecurity Category Name Description Insider Threat / Data Breach Compromise of mission-critical information Adversary compromises the integrity of mission- critical information, thus preventing or impeding ability of organizations to which information is supplied from carrying out operations. Vulnerabilities exploited using zero-day attacks Adversary employs attacks that exploit as-yet- unpublicized vulnerabilities. Zero-day attacks are based on adversary insight into the information systems and applications used by organizations as well as adversary reconnaissance of organizations. Intentional Data Alteration Data integrity loss by creating, deleting, and/or modifying data on publicly accessible information systems (e.g., web defacement) Adversary vandalizes, or otherwise makes unauthorized changes to, organizational websites or data on websites. Data integrity loss by injecting false but believable data into organizational information systems Adversary injects false but believable data into organizational information systems, resulting in suboptimal actions or loss of confidence in organizational data/services. Data integrity loss by polluting or corrupting critical data Adversary implants corrupted and incorrect data in critical data, resulting in suboptimal actions or loss of confidence in organizational data/services. Intentional Data Theft Gaining access to sensitive information via exfiltration Adversary directs malware on organizational systems to locate and surreptitiously transmit sensitive information. Internal Threat Robbery This relates to the act or an instance of unlawfully taking the property of another by the use of violence or intimidation. Lack of Internal Control Insecure or incomplete data deletion in multi-tenant environment Adversary obtains unauthorized information due to insecure or incomplete data deletion in a multi-tenant environment (e.g., in a cloud computing environment). Malicious Code Application API message manipulation via man-in-the-middle (MITM) An attacker manipulates either egress or ingress data from a client within an application framework in order to change the content of messages. Performing this attack can allow the attacker to gain unauthorized privileges within the application, or conduct attacks such as phishing, deceptive strategies to spread malware, or traditional web-application attacks. The techniques require use of specialized software that allows the attacker to intercept communications between the web browser and the remote system (i.e., âman-in-the-middleâ attack). Despite the use of MITM software, the attack is actually directed at the server, as the client is one node in a series of content brokers that pass information along to the application framework. Additionally, it is not true MITM attack at the network layer, but an application- layer attack, the root cause of which is the master applicationâs trust in the integrity of code supplied by the client. Compromise of critical information systems via physical access Adversary obtains physical access to organizational information systems and makes modifications. Compromise of information systems or devices used externally and reintroduced into the enterprise Adversary installs malware on information systems or devices while the systems/devices are external to organizations for purposes of subsequently infecting organizations when reconnected. Insert specialized malicious code into organizational information systems based on system configurations Adversary inserts specialized, non-detectable, malware into organizational information systems based on system configurations, specifically targeting critical information system components.
Categorized List of Cybersecurity Threats 83 Category Name Description Malicious Code (Continued) Malicious code delivery to internal organizational information systems (e.g., virus via email) Adversary uses common delivery mechanisms (e.g., email) to install/insert known malware (e.g., malware whose existence is known) into organizational information systems. Malware injection using provided removable media Adversary places removable media (e.g., flash drives) containing malware in locations external to organizational physical perimeters but where employees are likely to find the media (e.g., facilities parking lots, exhibits at conferences attended by employees). Modified malware to internal organizational information systems Adversary uses more sophisticated delivery mechanisms than email (e.g., web traffic, instant messaging, FTP) to deliver malware and possibly modifications of known malware to gain access to internal organizational information systems. Non-targeted zero-day attacks Adversary employs attacks that exploit as-yet- unpublicized vulnerabilities. Attacks are not based on any adversary insights into specific vulnerabilities of organizations. Targeted malware injection into organizational information systems and information system components Adversary inserts malware into organizational information systems and information system components (e.g., commercial information technology products), specifically targeted to the hardware, software, and firmware used by organizations (based on knowledge gained via reconnaissance). Targeted malware to take control of internal systems and exfiltrate data Adversary installs malware that is specifically designed to take control of internal organizational information systems, identify sensitive information, exfiltrate the information back to adversary, and conceal these actions. Untargeted malware injection into downloadable software and/or into commercial information technology products Adversary corrupts or inserts malware into common freeware, shareware, or commercial information technology products. Adversary is not targeting specific organizations, simply looking for entry points into internal organizational information systems. Note that this is particularly a concern for mobile applications. Organized Campaign Coordinate a campaign of multi-staged attacks (e.g., hopping) Adversary moves the source of malicious commands or actions from one compromised information system to another, making analysis difficult. Coordinate campaigns across multiple organizations to acquire specific information or achieve desired outcome Adversary does not limit planning to the targeting of one organization. Adversary observes multiple organizations to acquire necessary information on targets of interest. Phishing Creating and operating false front organizations to inject malicious components into the supply chain Adversary creates false front organizations with the appearance of legitimate suppliers in the critical life-cycle path that then inject corrupted/malicious information system components into the organizational supply chain. Other phishing attacks Adversary counterfeits communications from a legitimate/trustworthy source to acquire sensitive information such as usernames, passwords, or Social Security numbers. Typical attacks occur via email, instant messaging, or comparable means; commonly directing users to websites that appear to be legitimate sites, while actually stealing the entered information. Spear phishing attacks Adversary employs phishing attacks targeted at high-value targets (e.g., senior leaders/executives). Physical Exploit Cyberâphysical attacks on organizational facilities Adversary conducts a cyberâphysical attack on organizational facilities (e.g., remotely changes HVAC settings). (continued on next page)
84 Guidebook on Best Practices for Airport Cybersecurity Category Name Description Social Engineering Attacks specifically based on deployed information technology environment Adversary develops attacks (e.g., crafts targeted malware) that take advantage of adversary knowledge of the organizational information technology environment. Compromise of physical access of authorized staff to gain access to organizational facilities Adversary follows (âtailgatesâ) authorized individuals into secure/controlled locations with the goal of gaining access to facilities, circumventing physical security checks. Outsider-based social engineering to obtain information Externally placed adversary takes actions (e.g., using email, phone) with the intent of persuading or otherwise tricking individuals within organizations into revealing critical/sensitive information (e.g., PII). Supply Chain Integrity Supply-chain attacks targeting and exploiting critical hardware, software, or firmware Adversary targets and compromises the operation of software (e.g., through malware injections), firmware, and hardware that perform critical functions for organizations. This is largely accomplished as supply-chain attacks on both commercial off-the-shelf and custom information systems and components. Third Party Pervasive disk error Multiple disk errors due to aging of a set of devices all acquired at the same time, from the same supplier. Unauthorized Access (host, network or app) Attacks targeting and compromising personal devices of critical employees Adversary targets key organizational employees by placing malware on their personally owned information systems and devices (e.g., laptop/ notebook computers, personal digital assistants, smartphones). The intent is to take advantage of any instances where employees use personal information systems or devices to handle critical/sensitive information. Attacks using unauthorized ports, protocols, and services Adversary conducts attacks using ports, protocols, and services for ingress and egress that are not authorized for use by organizations. Brute-force login attempts / password- guessing attacks Adversary attempts to gain access to organizational information systems by random or systematic guessing of passwords, possibly supported by password-cracking utilities. Communications interception attacks Adversary takes advantage of communications that are either unencrypted or use weak encryption (e.g., encryption containing publicly known flaws), targets those communications, and gains access to transmitted information and channels. Coordinate a campaign that spreads attacks across organizational systems from existing presence Adversary uses existing presence within organizational systems to extend the adversaryâs span of control to other organizational systems including organizational infrastructure. Adversary thus is in position to further undermine organizational ability to carry out missions/ business function. Data-scavenging attacks in a cloud environment Adversary obtains data used and then deleted by organizational processes running in a cloud environment. Degradation or denial of attacker-selected services or capabilities Adversary directs malware on organizational systems to impair the correct and timely support of organizational mission/business functions. Deterioration/destruction of critical information system components and functions Adversary destroys or causes deterioration of critical information system components to impede or eliminate organizational ability to carry out missions or business functions. Detection of this action is not a concern.
Categorized List of Cybersecurity Threats 85 Category Name Description Externally based network traffic modification (man-in-the-middle) attacks Adversary, operating outside organizational systems, intercepts/eavesdrops on sessions between organizational and external systems. Adversary then relays messages between organizational and external systems, making them believe that they are talking directly. Internally based network traffic modification (man-in-the-middle) attacks Adversary operating within the organizational infrastructure intercepts and corrupts data sessions. Unauthorized Access (host, network or app) (Continued) Tampered-with critical components into organizational systems Adversary replaces, through supply chain, subverted insider, or some combination thereof, critical information system components with modified or corrupted components. Unauthorized Back Door Obfuscate adversary actions Adversary takes actions to inhibit the effectiveness of the intrusion detection systems or auditing capabilities within organizations. Unauthorized Host Access Compromise of software of critical organizational information systems Adversary inserts malware or otherwise corrupts critical internal organizational information systems. Counterfeit certificates Adversary counterfeits or compromises a certificate authority, so that malware or connections will appear legitimate. Creating counterfeit/spoof website Adversary creates duplicates of legitimate websites; when users visit a counterfeit site, the site can gather information or download malware. Unauthorized Network Access Attacks leveraging traffic/data movement allowed across perimeter Adversary makes use of permitted information flows (e.g., email communication, removable storage) to compromise internal information systems, which allows adversary to obtain and exfiltrate sensitive information through perimeters. Breaking into an isolated multi-tenant environment Adversary circumvents or defeats isolation mechanisms in a multi-tenant environment (e.g., in a cloud computing environment) to observe, corrupt, or deny service to hosted services and information/data. Exploitation of split tunneling Adversary takes advantage of external organizational or personal information systems (e.g., laptop computers at remote locations) that are simultaneously connected securely to organizational information systems or networks and to non-secure remote connect. Externally based session hijacking Adversary takes control of (hijacks) already- established, legitimate information system sessions between organizations and external entities (e.g., users connecting from off-site locations). General-purpose sniffers on organization- controlled information systems or networks Adversary installs sniffing software onto internal organizational information systems or networks. Internally based session hijacking Adversary places an entity within organizations in order to gain access to organizational information systems or networks for the express purpose of taking control (hijacking) of an already-established, legitimate session either between organizations and external entities (e.g., users connecting from remote locations) or between two locations within internal networks. Malicious scanning devices (e.g., wireless sniffers) inside facilities Adversary uses postal service or other commercial delivery services to deliver to organizational mailrooms a device that is able to scan wireless communications accessible from within the mailrooms and then wirelessly transmit information back to adversary. (continued on next page)
86 Guidebook on Best Practices for Airport Cybersecurity Category Name Description Unauthorized Network Access (Continued) Network sniffing of exposed networks Adversary with access to exposed wired or wireless data channels used to transmit information uses network sniffing to identify components, resources, and protections. Obtaining sensitive information through network sniffing of external networks Adversary with access to exposed wired or wireless data channels that organizations (or organizational personnel) use to transmit information (e.g., kiosks, public wireless networks) intercepts communications. Persistent and targeted sniffers installed on organizational information systems and networks Adversary places within internal organizational information systems or networks software designed to (over a continuous period of time) collect (sniff) network traffic. Unauthorized Physical Access Bypassing card- or badge-based systems An attacker bypasses the security of a card- based system by using techniques such as cloning access cards or using brute-force techniques. Card-based systems are widespread throughout business, government, and supply- chain management. Attacks against card-based systems vary widely based on the attackersâ goals but commonly include unauthorized reproduction of cards, brute-force creation of valid card-values, and attacks against systems which read or process card data. Due to the inherent weaknesses of card and badge security, high-security environments will rarely rely upon the card or badge alone as a security mechanism. Common card-based systems are used for financial transactions, user identification, and access control. Cloning attacks involve making an unauthorized copy of a userâs card while brute-force attacks involve creating new cards with valid values. Denial of service attacks against card-based systems involve rendering the reader, or the card itself, disabled. Such attacks may be useful in a fail- closed system for keeping authorized users out of a location while a crime is in progress, whereas fail-open systems may grant access, or an alarm may fail to trigger, if an attacker disables or damages the card authentication device. Cloning magnetic strip cards An attacker duplicates the data on a magnetic strip card (i.e., âswipe cardâ or âmagstripeâ) to gain unauthorized access to a physical location or a personâs private information. Magstripe cards encode data on a band of iron-based magnetic particles arrayed in a stripe along a rectangular card. Most magstripe card data formats conform to ISO standards 7810, 7811, 7813, 8583, and 4909. The primary advantage of magstripe technology is ease of encoding and portability, but this also renders magnetic strip cards susceptible to unauthorized duplication. If magstripe cards are used for access control, all an attacker need do is obtain a valid card long enough to make a copy of the card and then return the card to its location (i.e., a co-workerâs desk). Magstripe reader/writers are widely available as well as software for analyzing data encoded on the cards. By swiping a valid card, it becomes trivial to make any number of duplicates that function as the original.
Categorized List of Cybersecurity Threats 87 Category Name Description Physical attacks on infrastructures supporting organizational facilities Adversary conducts a physical attack on one or more infrastructures supporting organizational facilities (e.g., breaks a water main, cuts a power line). Physical attacks on organizational facilities Adversary conducts a physical attack on organizational facilities (e.g., sets a fire). Unauthorized Reconnaissance Access to sensitive data/information from publicly accessible information systems Adversary scans or mines information on publicly accessible servers and web pages of organizations with the intent of finding sensitive information. Cyberattacks based on detailed surveillance Adversary adapts behavior in response to surveillance and organizational security measures. Gathering information by externally located interception of wireless network traffic Adversary intercepts organizational communications over wireless networks. Examples include targeting public wireless access or hotel networking connections, and drive-by subversion of home or organizational wireless routers. Information gathering using open-source discovery of organizational information Adversary mines publicly accessible information to gather information about organizational information systems, business processes, users, or personnel, or external relationships that the adversary can subsequently employ in support of an attack. Internal malware-directed reconnaissance Adversary uses malware installed inside the organizational perimeter to identify targets of opportunity. Because the scanning, probing, or observation does not cross the perimeter, it is not detected by externally placed intrusion detection systems. Perimeter network reconnaissance/scanning Adversary uses commercial or free software to scan organizational perimeters to obtain a better understanding of the information technology infrastructure and improve the ability to launch successful attacks. Reconnaissance and surveillance of targeted organizations Adversary uses various means (e.g., scanning, physical observation) over time to examine and assess organizations and ascertain points of vulnerability. Unintended Data Compromise Disclosure of critical and/or sensitive information by authorized users Adversary induces (e.g., via social engineering) authorized users to inadvertently expose, disclose, or mishandle critical/sensitive information. Mishandling of critical and/or sensitive information by authorized users Authorized privileged user inadvertently exposes critical/sensitive information. Unauthorized disclosure and/or unavailability by spilling sensitive information Adversary contaminates organizational information systems (including devices and networks) by causing them to handle information of a classification/sensitivity for which they have not been authorized. The information is exposed to individuals who are not authorized to access such information, and the information system, device, or network is unavailable while the spill is investigated and mitigated. Unintended Data Leak Incorrect privilege settings Authorized privileged user or administrator erroneously assigns a user exceptional privileges or sets privilege requirements on a resource too low. Unauthorized Physical Access (Continued) (continued on next page)
88 Guidebook on Best Practices for Airport Cybersecurity Category Name Description Unintended Data Leak (Continued) Spill sensitive information Authorized user erroneously contaminates a device, information system, or network by placing on it or sending to it information of a classification/sensitivity which it has not been authorized to handle. The information is exposed to access by unauthorized individuals, and as a result, the device, system, or network is unavailable while the spill is investigated and mitigated. Unpatched Hosts Exploitation of known vulnerabilities in mobile systems (e.g., laptops, PDAs, smartphones) Adversary takes advantage of transportable information systems being outside the physical protection of organizations and the logical protection of corporate firewalls, and compromises the systems based on known vulnerabilities to gather information from those systems. Exploitation of recently discovered vulnerabilities Adversary exploits recently discovered vulnerabilities in organizational information systems in an attempt to compromise the systems before mitigation measures are available or in place. Vishing Compromise or gaining access to critical information systems Using voice systems as social engineering technique to break, compromise, or gain access to critical information systems. Source: NIST (2012), Verizon (2012), MITRE Corporation (2014b), and research team experience.