Threats, Vulnerability, Uncertainty and Information Risk

Threats, Vulnerability, Uncertainty and Information Risk

Eduardo Gelbstein (Webster University, Switzerland)
DOI: 10.4018/978-1-61520-831-9.ch005
OnDemand PDF Download:


Two other matters complicate this topic: the lack of statistical data relating to cyber-attacks and the vulnerabilities inherent in hardware, software and networks, many of which are unknown until someone exploits them.
Chapter Preview

1. Introduction: Threats And Attacks

I think computer viruses should count as life. I think it says something about human nature that the only form of life we have created so far is purely destructive.

We've created life in our own image. (Stephen Hawking (n.d.))

Electronic devices – computers of all kinds, personal digital assistants and cellular telephones have been the targets of theft and electronic attacks for many years. The latter take many forms and are continuously becoming more sophisticated.

The forms of attack experienced so far, can be grouped in several categories: Vandalism, Infection, Disruption, Concealment and Data theft. In addition, there is a wide range of illegal and/or criminal activities such as espionage, interception, fraud and extortion.

Human ingenuity and creativity will undoubtedly find new ways to interfere with the smooth operation of information systems and data.

Vandalism attacks tend to cause little damage (apart from bruised egos and reputations) and can be quickly repaired – typically these involve defacing websites, which is relatively easy to do.

Infection attacks involve malicious software such as viruses, worms and spyware. While antivirus software has been effective in preventing and containing such infections, more recent malicious software (also known as malware) is reported to be able to bypass such defences.

Infection attacks have two components – a vector or delivery mechanism and a payload that causes damage. The vectors take many forms – from infected files (music, text, photographs) to infected CDROMs and USB flash memories – the latter, often together with social engineering, create an illusion of trust and result in an infected device used in a computer or photographic camera thus creating a chain of infection.

The payload can take many forms and may corrupt or delete data, capture keystrokes, track activity, send confidential information to a third party and more. Well designed payloads leave little or no trace of their activity.

Disruption attacks are intended to render the operation of a system, service or website impossible – Denial of Service Attacks, for example, swamp a network or a website with messages and cause to become inoperable. Infection attacks can also be disruptive as normal operations require all affected components to be sanitized and tested, both time an labor intensive.

Concealment attacks are designed not to be detected and allow those who launch them to take control of the target computer or device without the owner being aware of it. The payloads used for this purpose have names such as Trojan Horse, Rootkit and Backdoor. Professionally designed or “military strength” malware of this kind is difficult to detect and remove.

In October 2008 it was reported (Chip & Pin terminals, 2008) that Joel Brenner US National Counterintelligence Executive and Mission Manager for Counterintelligence, stated that point of sale equipment manufactured in China had been compromised by international criminal gangs by tampering during the manufacturing process:

It is believed an extra chip fixed to the back of the motherboard during manufacturing could have been responsible for large sums of money being taken from European customers' accounts. Customer card details, along with Personal Identification Numbers (PIN), were said to have been copied over a period of nine months and transmitted via mobile phone networks to fraudsters in Pakistan and that these may have raised funds to support terrorist activities. See also the Chapter in this book “What is Cyberterrorism and How Real is the Threat? - A Review of the Academic Literature, 1998 – 2008” by Maura Conway.

Data theft attacks are mainly conducted by industrial (and other spies) and organised crime with a profit motive. Terrorist and cyber-war attacks could use similar techniques to modify and corrupt data in critical information infrastructures.


2. Taking The Mystery Out Of Risk Terminology

“Risk” is a word in common use by both professionals and the general public. However, it means different things to different people and there is no shortage of definitions and methodologies to – perhaps optimistically – manage risk.

Traditionally, in statistical analysis and finance, risk is used to denote a probability of specific outcomes. In this approach “risk” is independent from the notion of value and, as such, outcomes may have both beneficial and adverse consequences – the classical expression being

Risk = (probability of an event occurring) * (impact of the event)

Complete Chapter List

Search this Book:
Table of Contents
Pauline C. Reich, Eduardo Gelbstein
Pauline C. Reich
Chapter 1
Eduardo Gelbstein
This chapter reviews the assumptions on which this section of the book is based, explores the irreversible dependency of society on information and... Sample PDF
The Security Practitioners’ Perspective
Chapter 2
Eduardo Gelbstein, Marcus Wuest, Stephen Fridakis
There does not appear to be a common framework for quantifying the impact of information security business disruption events resulting in the loss... Sample PDF
Economic, Political and Social Threats in the Information Age
Critical Information Infrastructure and Cyber-Terrorism
Chapter 4
Eduardo Gelbstein
Of the three groups of components of information security – tools, processes, and people- the last one should be considered as the weakest link.... Sample PDF
Attackers: Internal and External
Chapter 5
Eduardo Gelbstein
Two other matters complicate this topic: the lack of statistical data relating to cyber-attacks and the vulnerabilities inherent in hardware... Sample PDF
Threats, Vulnerability, Uncertainty and Information Risk
Chapter 6
Eduardo Gelbstein, Tom Kellermann
This chapter examines in summary form those standards and best practices that have been widely accepted as being the “right things the right way”... Sample PDF
ICT and Security Governance: Doing the Right Things the Right Way (and Well Enough)
Chapter 7
Eduardo Gelbstein
This chapter discusses vulnerabilities that should be considered by decision makers as they could be seen as the soft underbelly of a society that... Sample PDF
Concerns About What Will Happen Next: Should These Things Keep You Awake at Night?
Chapter 8
Pauline C. Reich
There have been three stages of Internet use: the happy days of e-commerce and optimistic sharing in military and academic circles; the growing... Sample PDF
To Define or Not to Define: Law and Policy Conundrums for the Cybercrime, National Security, International Law and Military Law Communities
Chapter 9
Pauline C. Reich, Stuart Weinstein, Charles Wild, Allan S. Cabanlong
Anonymity, Actual Incidents, Cyber Attacks and Digital Immobilization
Chapter 10
Pauline C. Reich
This chapter reviews fundamental U.S. constitutional law in relation to privacy; the various United States federal privacy laws in relation to... Sample PDF
Culture Clashes: Freedom, Privacy, and Government Surveillance Issues Arising in Relation to National Security and Internet Use
Chapter 11
Maura Conway
This chapter critically analyzes the academic literature on cyberterrorism produced between 1996 and 2009. It begins by detailing the origins of the... Sample PDF
What is Cyberterrorism and How Real is the Threat?: A Review of the Academic Literature, 1996 – 2009
Chapter 12
Catherine B. Lotrionte
This chapter discusses the nature of cyber threats against government and private computer systems, describing some steps the government has taken... Sample PDF
Cyber-Search and Cyber-Seizure: Policy Considerations of Cyber Operations and Fourth Amendment Implications
Chapter 13
Gilbert Ramsay
Over the last few years, it has often been suggested that use of the Internet for a variety of terrorist purposes constitutes a serious threat, and... Sample PDF
Terrorism and the Internet: Do We Need an International Solution?
Chapter 14
Pauline C. Reich
The purpose of this chapter is to analyze terrorist use of technology in the Mumbai attacks of November 2008 and the use of law to prosecute... Sample PDF
Case Study: India - Terrorism and Terrorist Use of the Internet/Technology
Chapter 15
Timothy L. Thomas
This chapter analyses how China is using cyber reconnaissance to achieve electronic shi, defined as strategic advantage. It examines China’s cyber... Sample PDF
China’s Cyber Tool: Striving to Attain Electronic Shi?
Chapter 16
Stuart Weinstein, Charles Wild
This chapter examines the effectiveness of the newly-formed CPNI in leading the United Kingdom’s response to cyber attacks on critical... Sample PDF
The United Kingdom’s Centre for the Protection of National Infrastructure: An Evaluation of the UK Government’s Response Mechanism to Cyber Attacks on Critical Infrastructures
About the Contributors