Managing Network Security

The Threat

by Fred Cohen

Series Introduction

Networks dominate today's computing landscape and commercial technical protection is lagging behind attack technology. As a result, protection program success depends more on prudent management decisions than on the selection of technical safeguards. Managing Network Security takes a management view of protection and seeks to reconcile the need for security with the limitations of technology.

Revisiting Risk

Threats, vulnerabilities, and consequences conspire to generate risks. Without substantial negative consequences, who cares about vulnerabilities or threats? They can have no effect. Without vulnerabilities, it doesn't matter what the threat or consequence is, nothing can go wrong. Without threats, it doesn't matter that systems are vulnerable and that there are high consequences from exploitation.

We hear a great deal about vulnerabilities from the media. It seems like every day there are several new vulnerabilities published. We also hear about consequences on a daily basis as more and more incidents are published in the media. But threats are different. We don't really hear much about the threats and when we do the information tends to be poor. We constantly hear the term 'hackers' as it it were generic form of all threats. But just as it is a disservice to call all vulnerabilities 'viruses' (as some people do) and all consequences secrecy issues (as some people do) it is a disservice to lump all actors that attack systems hackers. They are not.

In this month's article, we are going to discuss threats in a bit more depth - but only a bit...

What's in a Name?

If we called everybody that worked in information technology a technologist - from the CIO to the new-hire - it might make it easier on those reporting about information technology, but it would not be very informative to those of us reading about it. Imagine the headline:

"Technologist Starts New Database Project"

If it is the CIO, it may mean dramatic changes in the global IT position - while if it is the new assistant in my lab, it probably doesn't mean very much at all. When we hear about "hackers" disabling military capabilities, we should start to doubt the quality of the reporting. "Hackers" don't intentionally harm systems.

Words have real effect in the human world. Words insight wars and move nations toward peace. Words influence populations and often make the difference in major decisions with long-term effects. When we communicate about threats to computers, if we use better words, our message will get across a lot more clearly, and as a result, the proper attention will be paid to the proper risks.

What are the Right Words?

Of course I don't own the right to mint words any more than anybody else does, but as a researcher in the field, I have done some rather extensive study on the threats to information systems. To start out, I want to clarify what I mean by the term threats.

Threats are actors, including individuals, groups, organizations, and for convenience we also include nature. In the case of nature, the threat is commonly analyzed by statistical means, but human threats are normally far harder to analyze in this way because people act with malice and intelligence and adapt to defenses. I will leave nature out of the threat list below:

activists club initiates competitors
consultants crackers for hire crackers
customers cyber-gangs deranged people
drug cartels economic rivals extortionists
foreign agents and spies fraudsters global coalitions
government agencies hackers hoodlums
industrial espionage experts information warriors infrastructure warriors
insiders maintenance people military organizations
nation states organized crime paramilitary groups
police private investigators professional thieves
reporters terrorists tiger teams
vandals vendors whistle blowers

If you are interested in definitions of these threat types (I don't want to waste your time with it here) goto the web site and press the "New Security Database" menu selection. These definitions are not the issue of the day anyway.

After the Rhetoric

Threats are not magical and thus they have their limits. For example, threats are limited by expertise, time, funding, capabilities, and knowledge of situational specifics. In recent months I have seen a dramatic improvement in the reporting of threat types in the media. For example, in a recent story about denial of service attacks, the FBI was quoted as calling the attackers "vandals" and the media reported this term in their headline and throughout their story.

While you could reasonably assert that the acts were acts of vandalism, until the perpetrator is found, it is speculative to assert that vandals are the definitive sources of these attacks. Still, I consider this to be a great improvement over the massive use of the term "hackers".

In high-profile cases, rhetoric rules, and the recent increases in attacks and attention to cyber attacks by global governments has produced a lot of rhetoric. But in the end, threats are not mysterious. They are - to a close approximation - the same sorts of actors that have always existed with the same sorts of motives they have always had.

A good example of rhetoric is the use of the term cyber-terror[ist/ism]. The notion of cyber terrorism is used to evoke images of death and destruction so as to get funding for protection against what has largely been inconvenience and disruption, and to justify movement toward (but not yet approaching) the police-state of the George Orwell book '1984'. Here's a quick quiz: How many people were killed in the attacks on Ebay and what group with political motives used these attacks to forward their goals? If the answer is that nobody got killed and no political group claimed credit, was it terrifying and why do we call it terrorism? The answer is simple - it was not terrorism, and the term was invoked to gain media attention and more funding.

But after all the rhetoric, we still have a very real issue that needs to be settled in order to make prudent risk management decisions. We need to understand something about the actors that are likely to try to exploit vulnerabilities to induce adverse consequences. This process is called threat assessment.

Threat Assessemnt

The art of threat assessment is an ancient one and one that has never been perfected. I like to tell my clients that the more they tell me the better I can do. In threat assessment, having a good intelligence network, sbstantial experience, and a strong knowledge of current events is key to being able to do the job well. The rest of us have to muddle along with less precision.

A good example of a threat assessment is a process I have underway right now for a client. In this particular case, there are specific groups of actors who are of concern. These groups have histories, physical locations they tend to operate in, methods of operation, technological capabilities, personnel with varying degrees of experience, finances, reasons for exploiting cyber attacks, and so forth.

Threat assessment involves an ongoing process of research and fusion. As you research specific threats, you gain increasing knowledge of their nature, their capabilities, their modus operadi, their motives, and other aspects of what they do and who they are. For a while, you find information in the open, but as the mining operation runs dry, it gets harder and harder to get information. The next steps become more active in that getting additional data requires convincing a person with special knowledge or system with special data to provide information not normally available.

Along with this process comes a certain element of risk. For example, if you are investigating a criminal group, they might decide to kill you for your efforts. If you are investigating a cracker, they might try to destroy your credit rating. This is, of course, part of their modus operandi. We normally wish to avoid getting killed or having our credit destroyed in the threat assessment process, which means we need to move toward some set of technical safeguards, and as the process becomes more dangerous, toward spycraft and eventually a full-blown intelligence operation.

Generic Threat Assessment

After doing a number of threat assessments, you might decide that the cost of assessing each threat for each situation is too high to justify. Once this happens, assuming you have enough experience with similar groups and individuals, you can move toward generic threat assessment with some level of quality. For example, in many cases, you might be able to identify that terrorists are not in the threat profile while industrial espionage (theft type) experts are. In this case, you can probably eliminate bombs and hand grenades from the list of things that may be used against you, but you had better include lots of human subversion, brives, extortion, technical attacks, and on and on.

Of course real threats are not generic at all, but a decent model of what these threats tend to use and who, where, when, and why they can be expected to be active against what systems is helpful in deciding which vulnerabilities to cover to what extent and which to accept as producing less well-covered risks. Unfortunately, there is no comprehensive database of this sort available today and those who track specific threats don't want this information to get out because it goes to sources and methods of collection and this eventually defeats further intelligence attempts.

An alternative is to simply believe the media and use their reports as the basis for threat assessment and statistical analysis. Unfortunately, in this area, the media is not doing a very good job because they seem to roll everything up into the generic form. 'Hackers did it all' is just not very useful in trying to differentiate threats. The media is getting better, but they have a long way to go.


Understanding threats is a key element in any risk management process, and yet we generally do it rather poorly. This is one of the reasons that organizations always seem to be behind the curve in the attack and defense game. To get ahead of the curve, you should do detailed threat assessment and use this information to inform your protection decisions. Unfortunately, threat assessment seems too expensive for any single organization to bear and there are no credible commercial threat assessment groups offering the service for corporaitons to buy. Lacking this, the only process available is based on facilitated expert opinions. This requires that you get access to knowledgeable experts - something in very short supply today.

About The Author:

Fred Cohen is exploring the minimum raise as a Principal Member of Technical Staff at Sandia National Laboratories, helping clients meet their information protection needs as the Managing Director of Fred Cohen and Associates in Livermore California, and educating defenders over-the-Internet on all aspects of information protection as a practitioner in residence in the University of New Haven's Forensic Sciences Program. He can be reached by sending email to fred at or visiting /