INVITATION TO CYBERSECURITY 104 5.3.3 Cyber Vulnerabilities As we saw in Chapter 3, a cyber vulnerability is a weakness. Vulnerabilities are exploited by cyber threat actors. An exploit is an action that takes advantage of a vulnerability to compromise security. Cyber threat modeling is a systematic approach to identifying cyber vulnerabilities. It uses brainstorming exercises and hypothetical scenarios and applies adversarial thinking to explore how cyber threat actors could find and exploit vulnerabilities within an organization. One way to do threat modeling is by examining each of the categories of people, processes, technology, and facilities. These four categories are the functional underpinnings of any organization. They are where vulnerabilities reside and also where cybersecurity is implemented. 5.3.3.1 People An old adage warns that people are the weakest link in cybersecurity. Cyber threat actors often target employees as the easiest way to achieve their objectives. As we saw in Chapter 4, hackers use social engineering to deceive people into taking actions that undermine security. People are trusting, non-confrontational, and want to help, and these are vulnerabilities that hackers exploit by using deception and preying on a person’s goodwill. Organizations need to consider how different categories of employees might be socially engineered to compromise cybersecurity. They also need to identify what other groups of people have access to cyber assets (e.g., the supply chain), and what harm could be done by insider threats. 5.3.3.2 Processes Processes also have vulnerabilities. Hackers examine processes to find weaknesses. A weakness may be an exception to the process that was never considered, opening up a security loophole. As a non-cybersecurity example, airport security personnel follow a process for screening passengers before allowing them to board an airplane. One of their objectives is to prevent people from bringing explosive devices onboard a flight. A terrorist group in the early 2000s found a loophole in the security process: shoes were not screened. After an incident where a terrorist was caught mid-flight in the act of trying to ignite his “shoe bomb” (fortunately, he did not succeed), the screening process was modified so that passengers now have to remove their shoes (see Figure 5.2). For cyber threat modeling, organizations need to examine the different functions they perform and apply adversarial thinking to brainstorm how they could be subverted. 5.3.3.3 Technology The history of cybersecurity has proven that cyberspace is rife with technology vulnerabilities as we saw in Section 4.1.2.2. There are vulnerabilities in software, hardware, and networks. These vulnerabilities are widespread because cyberspace is complex, and as we have seen, complexity is the enemy of security. Complexity creates darkness where vulnerabilities can hide. Most software vulnerabilities are unintentional bugs created
RkJQdWJsaXNoZXIy MTM4ODY=