Vulnerabilities are flaws in a computer system that weaken the
overall security of the device/system. Vulnerabilities can be
weaknesses in either the hardware itself, or the software that runs on
the hardware. Vulnerabilities can be exploited by a threat actor,
such as an attacker, to cross privilege boundaries (i.e. perform
unauthorized actions) within a computer system. To exploit a
vulnerability, an attacker must have at least one applicable tool or
technique that can connect to a system weakness. In this frame,
vulnerabilities are also known as the attack surface. Constructs in programming languages that are difficult to use properly can also manifest large numbers of vulnerabilities.
Vulnerability management
is a cyclical practice that varies in theory but contains common
processes which include: discover all assets, prioritize assets, assess
or perform a complete vulnerability scan, report on results, remediate
vulnerabilities, verify remediation - repeat. This practice generally
refers to software vulnerabilities in computing systems. Agile vulnerability management refers to preventing attacks by identifying all vulnerabilities as quickly as possible.
A security risk is often incorrectly classified as a
vulnerability. The use of vulnerability with the same meaning of risk
can lead to confusion. The risk is the potential of a significant impact
resulting from the exploit of a vulnerability. Then there are
vulnerabilities without risk: for example when the affected asset
has no value. A vulnerability with one or more known instances of
working and fully implemented attacks is classified as an exploitable
vulnerability—a vulnerability for which an exploit
exists. The window of vulnerability is the time from when the security
hole was introduced or manifested in deployed software, to when access
was removed, a security fix was available/deployed, or the attacker was
disabled—see zero-day attack.
Security bug is a narrower concept. There are vulnerabilities that are not related to software: hardware, site, personnel vulnerabilities are examples of vulnerabilities that are not software security bugs.
A weakness of an asset or group of assets that can be exploited by one or more threats, where an asset
is anything that has value to the organization, its business
operations, and their continuity, including information resources that
support the organization's mission
Vulnerability—Weakness in an information system, system
security procedures, internal controls, or implementation that could be
exploited by a threat source.
Many NIST publications define vulnerability in IT context in different publications: FISMApedia term provide a list. Between them SP 800-30, give a broader one:
A flaw or weakness in system security procedures, design,
implementation, or internal controls that could be exercised
(accidentally triggered or intentionally exploited) and result in a
security breach or a violation of the system's security policy.
The existence of a weakness, design, or implementation error
that can lead to an unexpected, undesirable event [G.11] compromising
the security of the computer system, network, application, or protocol
involved.(ITSEC)
The probability that an asset will be unable to resist the actions of a threat agent
According to FAIR vulnerability is related to Control Strength, i.e.
the strength of control as compared to a standard measure of force and
the threat Capabilities, i.e. the probable level of force that a threat agent is capable of applying against an asset.
ISACA defines vulnerability in Risk It framework as:
A weakness in design, implementation, operation or internal control
Data and Computer Security: Dictionary of standards concepts and
terms, authors Dennis Longley and Michael Shain, Stockton Press, ISBN0-935859-17-9, defines vulnerability as:
1) In computer security, a weakness in automated systems
security procedures, administrative controls, Internet controls, etc.,
that could be exploited by a threat to gain unauthorized access to
information or to disrupt critical processing. 2) In computer security, a
weakness in the physical layout, organization, procedures, personnel,
management, administration, hardware or software that may be exploited
to cause harm to the ADP system or activity. 3) In computer security,
any weakness or flaw existing in a system. The attack or harmful event,
or the opportunity available to a threat agent to mount that attack.
Matt Bishop and Dave Bailey give the following definition of computer vulnerability:
A computer system is composed of states describing the
current configuration of the entities that make up the computer system.
The system computes through the application of state transitions that
change the state of the system. All states reachable from a given
initial state using a set of state transitions fall into the class of
authorized or unauthorized, as defined by a security policy. In this
paper, the definitions of these classes and transitions is considered
axiomatic. A vulnerable state is an authorized state from which an
unauthorized state can be reached using authorized state transitions. A
compromised state is the state so reached. An attack is a sequence of
authorized state transitions which end in a compromised state. By
definition, an attack begins in a vulnerable state. A vulnerability is a
characterization of a vulnerable state which distinguishes it from all
non-vulnerable states. If generic, the vulnerability may characterize
many vulnerable states; if specific, it may characterize only one...
A weakness in automated system security procedures,
administrative controls, internal controls, and so forth, that could be
exploited by a threat to gain unauthorized access to information or
disrupt critical processing. 2. A weakness in system security
procedures, hardware design, internal controls, etc. , which could be
exploited to gain unauthorized access to classified or sensitive
information. 3. A weakness in the physical layout, organization,
procedures, personnel, management, administration, hardware, or software
that may be exploited to cause harm to the ADP system or activity. The
presence of a vulnerability does not in itself cause harm; a
vulnerability is merely a condition or set of conditions that may allow
the ADP system or activity to be harmed by an attack. 4. An assertion
primarily concerning entities of the internal environment (assets); we
say that an asset (or class of assets) is vulnerable (in some way,
possibly involving an agent or collection of agents); we write: V(i,e)
where: e may be an empty set. 5. Susceptibility to various threats. 6.
A set of properties of a specific internal entity that, in union with a
set of properties of a specific external entity, implies a risk. 7.
The characteristics of a system which cause it to suffer a definite
degradation (incapability to perform the designated mission) as a result
of having been subjected to a certain level of effects in an unnatural
(manmade) hostile environment.
Vulnerability and risk factor models
A
resource (either physical or logical) may have one or more
vulnerabilities that can be exploited by a threat actor. The result can
potentially compromise the confidentiality, integrity or availability
of resources (not necessarily the vulnerable one) belonging to an
organization and/or other parties involved (customers, suppliers). The
so-called CIA triad is a cornerstone of Information Security.
An attack can be active when it attempts to alter system resources or affect their operation, compromising integrity or availability. A "passive attack"
attempts to learn or make use of information from the system but does
not affect system resources, compromising confidentiality.
OWASP: relationship between threat agent and business impact
OWASP
(see figure) depicts the same phenomenon in slightly different terms: a
threat agent through an attack vector exploits a weakness
(vulnerability) of the system and the related security controls, causing
a technical impact on an IT resource (asset) connected to a business
impact.
The overall picture represents the risk factors of the risk scenario.
Information security management system
A set of policies concerned with the information security management system (ISMS), has been developed to manage, according to Risk management principles, the countermeasures
to ensure a security strategy is set up following the rules and
regulations applicable to a given organization. These countermeasures
are also called Security controls, but when applied to the transmission of information, they are called security services.
Classification
Vulnerabilities are classified according to the asset class they are related to:
area subject to natural disasters (e.g. flood, earthquake)
interruption of power source
organizational
lack of regular audits
lack of continuity plans
lack of security
Causes
Complexity: Large, complex systems increase the probability of flaws and unintended access points.
Familiarity: Using common, well-known code, software, operating
systems, and/or hardware increases the probability an attacker has or
can find the knowledge and tools to exploit the flaw.
Connectivity: More physical connections, privileges, ports,
protocols, and services and time each of those are accessible increase
vulnerability.
Password management flaws: The computer user uses weak passwords that could be discovered by brute force.
The computer user stores the password on the computer where a program
can access it. Users re-use passwords between many programs and
websites.
Fundamental operating system
design flaws: The operating system designer chooses to enforce
suboptimal policies on user/program management. For example, operating
systems with policies such as default permit grant every program and every user full access to the entire computer. This operating system flaw allows viruses and malware to execute commands on behalf of the administrator.
Internet Website Browsing: Some internet websites may contain harmful Spyware or Adware
that can be installed automatically on the computer systems. After
visiting those websites, the computer systems become infected and
personal information will be collected and passed on to third party
individuals.
Software bugs:
The programmer leaves an exploitable bug in a software program. The
software bug may allow an attacker to misuse an application.
Unchecked user input:
The program assumes that all user input is safe. Programs that do not
check user input can allow unintended direct execution of commands or
SQL statements (known as Buffer overflows, SQL injection or other non-validated inputs).
Not learning from past mistakes: for example most vulnerabilities discovered in IPv4 protocol software were discovered in the new IPv6 implementations.
The research has shown that the most vulnerable point in most
information systems is the human user, operator, designer, or other
human: so humans should be considered in their different roles as asset, threat, information resources. Social engineering is an increasing security concern.
Consequences
The impact of a security breach can be very high.
Most legislation sees the failure of IT managers to address IT systems
and applications vulnerabilities if they are known to them as
misconduct; IT managers have a responsibility to manage IT risk. Privacy law forces managers to act to reduce the impact or likelihood of that security risk. Information technology security audit
is a way to let other independent people certify that the IT
environment is managed properly and lessen the responsibilities, at
least having demonstrated good faith. Penetration test is a form of verification of the weakness and countermeasures adopted by an organisation: a White hat
hacker tries to attack an organisation's information technology assets,
to find out how easy or difficult it is to compromise the IT security. The proper way to professionally manage IT risk is to adopt an Information Security Management System, such as ISO/IEC 27002 or Risk IT and follow it, according to the security strategy set forth by the upper management.
One of the key concepts of information security is the principle of defence in depth, i.e. to set up a multilayer defence system that can:
Physical security
is a set of measures to physically protect an information asset: if
somebody can get physical access to the asset, it is widely accepted
that an attacker can access any information on it or make the resource
unavailable to its legitimate users.
Some sets of criteria to be satisfied by a computer, its
operating system and applications to meet a good security level have
been developed: ITSEC and Common criteria are two examples.
Vulnerability disclosure
Coordinated disclosure
(some refer to it as "responsible disclosure" but that is considered a
biased term by others) of vulnerabilities is a topic of great debate. As
reported by The Tech Herald in August 2010, "Google, Microsoft, TippingPoint, and Rapid7 have issued guidelines and statements addressing how they will deal with disclosure going forward." The other method is typically full disclosure,
when all the details of a vulnerability is publicized, sometimes with
the intent to put pressure on the software author to publish a fix more
quickly. In January 2014 when Google revealed a Microsoft vulnerability
before Microsoft released a patch to fix it, a Microsoft representative
called for coordinated practices among software companies in revealing
disclosures.
Cloud service providers often do not list security issues in their services using the CVE system. There is currently no universal standard for cloud computing vulnerability enumeration, severity assessment, and no unified tracking mechanism. The Open CVDB
initiative is a community-driven centralized cloud vulnerability
database that catalogs CSP vulnerabilities, and lists the steps users
can take to detect or prevent these issues in their own environments.
OWASP maintains a list of vulnerability classes with the aim of
educating system designers and programmers, therefore reducing the
likelihood of vulnerabilities being written unintentionally into the
software.
Vulnerability disclosure date
The
time of disclosure of a vulnerability is defined differently in the
security community and industry. It is most commonly referred to as "a
kind of public disclosure of security information by a certain party".
Usually, vulnerability information is discussed on a mailing list or
published on a security web site and results in a security advisory
afterward.
The time of disclosure is the first date a security
vulnerability is described on a channel where the disclosed information
on the vulnerability has to fulfill the following requirement:
The information is freely available to the public
The vulnerability information is published by a trusted and independent channel/source
The vulnerability has undergone analysis by experts such that risk rating information is included upon disclosure
Identifying and removing vulnerabilities
Many software tools exist that can aid in the discovery (and
sometimes removal) of vulnerabilities in a computer system. Though these
tools can provide an auditor with a good overview of possible
vulnerabilities present, they can not replace human judgment. Relying
solely on scanners will yield false positives and a limited-scope view
of the problems present in the system.
Vulnerabilities have been found in every major operating system including Windows, macOS, various forms of Unix and Linux, OpenVMS,
and others. The only way to reduce the chance of a vulnerability being
used against a system is through constant vigilance, including careful
system maintenance (e.g. applying software patches), best practices in
deployment (e.g. the use of firewalls and access controls) and auditing (both during development and throughout the deployment lifecycle).
Locations in which vulnerabilities manifest
Vulnerabilities are related to and can manifest in:
physical environment of the system
the personnel (i.e. employees, management)
administration procedures and security policy
business operation and service delivery
hardware including peripheral devices
software (i.e. on premises or in cloud)
connectivity (i.e. communication equipment and facilities)
It is evident that a pure technical approach cannot always protect
physical assets: one should have administrative procedure to let
maintenance personnel to enter the facilities and people with adequate
knowledge of the procedures, motivated to follow it with proper care.
However, technical protections do not necessarily stop Social engineering (security) attacks.
Examples of vulnerabilities:
an attacker finds and uses a buffer overflow weakness to install malware to then exfiltrate sensitive data;
an attacker convinces a user to open an email message with attached malware;
a flood damages one's computer systems installed at ground floor.
Software vulnerabilities
Common types of software flaws that lead to vulnerabilities include:
Some set of coding guidelines have been developed and a large number of static code analyzers has been used to verify that the code follows the guidelines.
A cyberattack (or cyber attack) is any offensive maneuver that targets computer information systems, computer networks, infrastructures, personal computer devices,
or smartphones. An attacker is a person or process that attempts to
access data, functions, or other restricted areas of the system without
authorization, potentially with malicious intent. Depending on the context, cyberattacks can be part of cyber warfare or cyberterrorism. A cyberattack can be employed by sovereign states,
individuals, groups, societies or organizations and it may originate
from an anonymous source. A product that facilitates a cyberattack is
sometimes called a cyber weapon. Cyberattacks have increased over the last few years. A well-known example of a cyberattack is a distributed denial of service attack (DDoS).
A cyberattack may steal, alter, or destroy a specified target by hacking into a private network or otherwise susceptible system. Cyberattacks can range from installing spyware
on a personal computer to attempting to destroy the infrastructure of
entire nations. Legal experts are seeking to limit the use of the term
to incidents causing physical damage, distinguishing it from the more
routine data breaches and broader hacking activities.
Cyberattacks have become increasingly sophisticated, hazardous, and expensive to recover from.
Since the late 1980s, cyberattacks have evolved several times to use innovations in information technology as vectors for committing cybercrimes. In recent years, the scale and robustness of cyberattacks have increased rapidly, as observed by the World Economic Forum in its 2018 Global Risks Report wrote: "Offensive cyber capabilities are developing more rapidly than our ability to deal with hostile incidents".
an assault on system security that derives from an intelligent threat, i.e., an intelligent act that is a deliberate attempt (especially in the sense of a method or technique) to evade security services and violate the security policy of a system.
Any kind of malicious activity that attempts to collect,
disrupt, deny, degrade, or destroy information system resources or the
information itself.
The increasing dependency of modern society on information and
computer networks (both in private and public sectors, including the
military) has led to new terms like cyber attack and cyber warfare.
CNSS Instruction No. 4009 define a cyber attack as:
An attack, via cyberspace, targets an enterprise’s use of
cyberspace for the purpose of disrupting, disabling, destroying, or
maliciously controlling a computing environment/infrastructure; or
destroying the integrity of the data or stealing controlled information.
As cars begin to adopt more technology, cyber attacks are becoming a security threat to automobiles.
Prevalence
In the first six months of 2017, two billion data records were stolen or impacted by cyber attacks, and ransomware payments reached US$2 billion, double that in 2016.
In 2020, with the increase of remote work as an effect of the COVID-19
global pandemic, cybersecurity statistics reveal a huge increase in
hacked and breached data. The worldwide information security market is forecast to reach $170.4 billion in 2022.
Cyber warfare
utilizes techniques of defending and attacking information and computer
networks that inhabit cyberspace, often through a prolonged cyber campaign or series of related campaigns. It denies an opponent's ability to do the same while employing technological instruments of war
to attack an opponent's critical computer systems. Cyberterrorism, on
the other hand, is "the use of computer network tools to shut down
critical national infrastructures (such as energy, transportation,
government operations) or to coerce or intimidate a government or
civilian population".
That means the result of both cyber warfare and cyberterrorism is the
same, to damage critical infrastructures and computer systems linked
together within the confines of cyberspace.
The financial crime expert Veit Buetterlin explained that
organizations, including state actors, which cannot finance themselves
through trade because of imposed sanctions, conduct cyber attacks on
banks to generate funds.
Factors
Three factors contribute to why cyberattacks are launched against a
state or an individual: the fear factor, the spectacularity factor, and
the vulnerability factor.
Spectacularity factor
The
spectacularity factor is a measure of the actual damage achieved by an
attack, meaning that the attack creates direct losses (usual loss of
availability or loss of income) and garners negative publicity. On 8
February 2000, a Denial of Service attack severely reduced traffic to
many major sites, including Amazon, Buy.com, CNN, and eBay (the attack
continued to affect still other sites the next day). Amazon reportedly estimated the loss of business at $600,000.
Vulnerability factor
The
vulnerability factor exploits how vulnerable an organization or
government establishment is to cyberattacks. Organizations without
maintenance systems might be running on old servers which are more
vulnerable than updated systems. An organization can be vulnerable to a
denial of service attack and a government establishment can be defaced
on a web page. A computer network attack disrupts the integrity or
authenticity of data, usually through malicious code that alters program
logic that controls data, leading to errors in the output.
Professional hackers to cyberterrorists
Ethical hackers, either working on their own or employed by
government agencies or the military, can find computer systems with
vulnerabilities lacking the appropriate security software. Once those
vulnerabilities are found, they can infect systems with malicious code
and then remotely control the system or computer by sending commands to
view content or to disrupt other computers. There needs to be a
pre-existing system flaw within the computer such as no antivirus
protection or faulty system configuration for the viral code to work.
Many ethical hackers will promote themselves to cyber terrorists, for financial gain or other reasons.
This means a new set of rules govern their actions. Cyberterrorists
have premeditated plans and their attacks are not born of rage.
They need to develop their plans step-by-step and acquire the
appropriate software to carry out an attack. They usually have political
agendas, targeting political structures. Cyberterrorists are hackers
with a political motivation, their attacks can impact political
structure through this corruption and destruction.
They also target civilians, civilian interests, and civilian
installations. As previously stated, cyberterrorists attack persons or
property and cause enough harm to generate fear.
An "active attack" attempts to alter system resources or affect their operation.
A "passive attack" attempts to learn or make use of information from the system but does not affect system resources (e.g., wiretapping).
An attack can be perpetrated by an insider or from outside the organization;
An "inside attack" is an attack initiated by an entity inside
the security perimeter (an "insider"), i.e., an entity that is
authorized to access system resources but uses them in a way not
approved by those who granted the authorization.
An "outside attack" is initiated from outside the perimeter, by an
unauthorized or illegitimate user of the system (an "outsider"). In the
Internet, potential outside attackers range from amateur pranksters to
organized criminals, international terrorists, and hostile governments.
A resource (both physical or logical), called an asset, can have one or more vulnerabilities that can be exploited by a threat agent in a threat action. As a result, the confidentiality, integrity or availability
of resources may be compromised. Potentially, the damage may extend to
resources in addition to the one initially identified as vulnerable,
including further resources of the organization, and the resources of
other involved parties (customers, suppliers).
The attack can be active when it attempts to alter system resources or affect their operation: so it compromises integrity or availability. A "passive attack"
attempts to learn or make use of information from the system but does
not affect system resources: so it compromises confidentiality.
A threat is a potential for violation of security, which exists
when there is a circumstance, capability, action or event that could
breach security and cause harm. That is, a threat is a possible danger
that might exploit a vulnerability. A threat can be either "intentional"
(i.e., intelligent; e.g., an individual cracker or a criminal
organization) or "accidental" (e.g., the possibility of a computer
malfunctioning, or the possibility of an "act of God" such as an
earthquake, a fire, or a tornado).
A set of policies concerned with information security management, the information security management systems (ISMS), has been developed to manage, according to risk management principles, the countermeasures in order to accomplish to a security strategy set up following rules and regulations applicable in a country.
An attack should lead to a security incident i.e. a security event that involves a security violation. In other words, a security-relevant system event in which the system's security policy is disobeyed or otherwise breached.
The overall picture represents the risk factors of the risk scenario.
An organization should take steps to detect, classify and manage security incidents. The first logical step is to set up an incident response plan and eventually a computer emergency response team.
An attack usually is perpetrated by someone with bad intentions: black hatted attacks falls in this category, while other perform penetration testing on an organization information system to find out if all foreseen controls are in place.
The attacks can be classified according to their origin: I.E. if
it is conducted using one or more computers: in the last case is called a
distributed attack. Botnets are used to conduct distributed attacks.
Other classifications are according to the procedures used or the
type of vulnerabilities exploited: attacks can be concentrated on
network mechanisms or host features.
Some attacks are physical: i.e. theft or damage of computers and
other equipment. Others are attempts to force changes in the logic used
by computers or network protocols in order to achieve unforeseen (by the
original designer) result but useful for the attacker. Software used to
for logical attacks on computers is called malware.
A DDos or Distributed Denial of service attack is an attempt
made by a hacker to block access to a server or a website that is
connected to the Internet. This is achieved using multiple computerized
systems, which overloads the target system with requests, making it
incapable of responding to any query.
In detail, there are a number of techniques to utilize in
cyberattacks and a variety of ways to administer them to individuals or
establishments on a broader scale. Attacks are broken down into two
categories: syntactic attacks and semantic attacks. Syntactic attacks are straightforward; it is considered malicious software which includes viruses, worms, and Trojan horses.
A virus is a self-replicating program that can attach itself to
another program or file in order to reproduce. The virus can hide in
unlikely locations in the memory of a computer system and attach itself
to whatever file it sees fit to execute its code. It can also change its
digital footprint each time it replicates making it harder to track
down in the computer.
A worm does not need another file or program to copy itself; it is a
self-sustaining running program. Worms replicate over a network using
protocols. The latest incarnation of worms make use of known
vulnerabilities in systems to penetrate, execute their code, and
replicate to other systems such as the Code Red II worm that infected
more than 259 000 systems in less than 14 hours.
On a much larger scale, worms can be designed for industrial espionage
to monitor and collect server and traffic activities then transmit it
back to its creator.
A Trojan horse is designed to perform legitimate tasks but it also
performs unknown and unwanted activity. It can be the basis of many
viruses and worms installing onto the computer as keyboard loggers and
backdoor software. In a commercial sense, Trojans can be imbedded in
trial versions of software and can gather additional intelligence about
the target without the person even knowing it happening. All three of
these are likely to attack an individual and establishment through
emails, web browsers, chat clients, remote software, and updates.
Semantic attacks
Semantic attack
is the modification and dissemination of correct and incorrect
information. Information modified could have been done without the use
of computers even though new opportunities can be found by using them.
To set someone in the wrong direction or to cover your tracks, the
dissemination of incorrect information can be utilized.
Cyberattacks by and against countries
In Q2 of 2013, Akamai Technologies
reported that Indonesia topped China with a portion 38 percent of cyber
attacks, an increase from the 21 percent portion in the previous
quarter. China was at 33 percent and the US at 6.9 percent. 79 percent
of attacks came from the Asia Pacific region. Indonesia dominated the
attacking to ports 80 and 443 by about 90 percent.
China's People's Liberation Army (PLA) has developed a strategy called "Integrated Network Electronic Warfare" which guides computer network operations and cyber warfare
tools. This strategy helps link together network warfare tools and
electronic warfare weapons against an opponent's information systems
during the conflict. They believe the fundamentals for achieving success
is about seizing control of an opponent's information flow and
establishing information dominance. The Science of Military and The Science of Campaigns
both identify enemy logistics systems networks as the highest priority
for cyberattacks and states that cyber warfare must mark the start of a
campaign, used properly, can enable overall operational success.
Focusing on attacking the opponent's infrastructure to disrupt
transmissions and processes of information that dictate decision-making
operations, the PLA would secure cyber dominance over their adversary.
The predominant techniques that would be utilized during a conflict to
gain the upper hand are as follows, the PLA would strike with electronic
jammers, electronic deception, and suppression techniques to interrupt
the transfer processes of information. They would launch virus attacks
or hacking techniques to sabotage information processes, all in the
hopes of destroying enemy information platforms and facilities. The
PLA's Science of Campaigns noted that one role for cyber warfare
is to create windows of opportunity for other forces to operate without
detection or with a lowered risk of counterattack by exploiting the
enemy's periods of "blindness", "deafness" or "paralysis" created by
cyberattacks.
That is one of the main focal points of cyber warfare, to be able to
weaken your enemy to the full extent possible so that your physical
offensive will have a higher percentage of success.
The PLA conducts regular training exercises in a variety of
environments emphasizing the use of cyber warfare tactics and techniques
in countering such tactics if it is employed against them. Faculty
research has been focusing on designs for rootkit usage and detection
for their Kylin Operating System which helps to further train these
individuals' cyber warfare techniques. China perceives cyber warfare as a
deterrent to nuclear weapons, possessing the ability for greater
precision, leaving fewer casualties, and allowing for long-ranged
attacks.
On March 2, 2021, Microsoft released an emergency security update
to patch four security vulnerabilities that had been used by Hafnium, a
Chinese nation-state-sponsored hacking group that had compromised at
least 30,000 public and private Microsoft exchange servers.
The 2007 cyberattacks on Estonia were a series of cyberattacks that began on 27 April 2007 and targeted websites of Estonian organizations, including Estonian parliament, banks, ministries, newspapers, and broadcasters, amid the country's disagreement with Russia about the relocation of the Bronze Soldier of Tallinn, an elaborate Soviet-era grave marker, as well as war graves in Tallinn.
The attacks triggered a number of military organizations around the
world to reconsider the importance of network security to modern
military doctrine. The direct result of the cyberattacks was the
creation of the NATO Cooperative Cyber Defence Centre of Excellence in Tallinn.
Ethiopia
In an extension of a bilateral dispute between Ethiopia and Egypt over the Grand Ethiopian Renaissance Dam, Ethiopian government websites have been hacked by the Egypt-based hackers in June 2020.
There were two such instances between India and Pakistan that
involved cyberspace conflicts, started in 1990s. Earlier cyber attacks
came to known as early as in 1999. Since then, India and Pakistan were engaged in a long-term dispute over Kashmir which moved into cyberspace.
Historical accounts indicated that each country's hackers have been
repeatedly involved in attacking each other's computing database system.
The number of attacks has grown yearly: 45 in 1999, 133 in 2000, 275 by
the end of August 2001. In 2010, Indian hackers laid a cyber attack at least 36 government database websites going by the name "Indian Cyber Army". In 2013, Indian hackers hacked the official website of Election Commission of Pakistan in an attempt to retrieve sensitive database information.
In retaliation, Pakistani hackers, calling themselves "True Cyber Army"
hacked and defaced ~1,059 websites of Indian election bodies.
According to the media, Pakistan's has been working on effective cyber security system, in a program called the "Cyber Secure Pakistan" (CSP).
The program was launched in April 2013 by Pakistan Information
Security Association and the program has expanded to country's
universities.
In 2020, according to the Media reports, Pakistan Army confirms
the series of Cyber Attacks that has been identified on Pakistani
Government and private websites by the Indian Intelligence. ISPR also
advised the government and private institutions to enhance cyber
security measures.
On the noon of 26 October 2021, A cyberattack caused all 4,300
fuel stations in Iran to disrupt and disable government-issued cards for
buying subsidized fuel. This cyberattack also caused digital billboards to display messages against the Iranian government.
It was the most significant cybercrime attack on an Irish state agency and the largest known attack against a health service computer system. The group responsible was identified as a criminal gang known as Wizard Spider, believed to be operating from Russia.The same group is believed to have attacked Ireland's Department of Health with a similar cyberattack.
Israel
In April 2020, there were attempts to hack into Israel's water infrastructure of the Sharon central region by Iran, which was thwarted by Israeli cyber defenses. The cyberattack intended to introduce dangerous levels of chlorine into the Israeli water supply.
North Korea
In February 2024 UN sanctions monitors were investigating claims that dozens of cyber attacks that North Korea is suspected of carrying out has raised around $3 billion which is being used to fund and develop it's nuclear weapons program.
In August 2020 the Norwegian parliament Stortinget suffered a cyberattack on the email system belonging to several officials. In December 2020, the Norwegian Police Security Service said the likely perpetrators were the Russian cyber espionage group Fancy Bear.
Russia
During the 2018 FIFA World Cup, Russia countered and stopped around 25 million cyber-attacks on IT Infrastructure.
In June 2019, Russia has conceded that it is "possible" its electrical grid is under cyberattack by the United States. The New York Times reported that American hackers from the United States Cyber Command planted malware potentially capable of disrupting the Russian electrical grid.
On 19 October 2020, the US justice department charged six Russian
military officers of a worldwide hacking campaign, which attacked
targets like French election, the 2018 Winter Olympic Games
opening ceremony, US businesses and Ukraine's electricity grid. The
campaign was believed to have cost billions of dollars for the mass
disruption it caused.
A series of powerful cyberattacks began 27 June 2017, that swamped
websites of Ukrainian organizations, including banks, ministries,
newspapers and electricity firms. In January 2022, Microsoft disclosed activity of a ransomware and DoS attack on various government agencies and organizations.
United Arab Emirates
In 2019, Reuters reported that United Arab Emirates launched a series of cyberattacks on its political opponents, journalists, and human rights activists under Project Raven,
on an espionage platform namely Karma. The team included ex-US
intelligence agents. Project Raven commenced in 2009 and was planned to
be continued for the coming ten years.
United Arab Emirates, used and asked for help from couple of
countries providing their best calibres to overcome this crisis, and to
confine the damage and consequences upon Project Raven, and indeed big names did participate to help like the American master, Graham Dexter, and the Egyptian phenomenal name in cybersecurity, Elhamy Elsebaey.
In the west, the United States
provides a different "tone of voice" when cyber warfare is on the tip
of everyone's tongue. The United States provides security plans strictly
in the response to cyber warfare, going on the defensive when they are
being attacked by devious cyber methods. In the U.S., the responsibility
of cybersecurity is divided between the Department of Homeland
Security, the Federal Bureau of Investigation, and the Department of
Defense. In recent years, a new department was created to specifically
tend to cyber threats, this department is known as Cyber Command. Cyber
Command is a military subcommand under US Strategic Command and is
responsible for dealing with threats to the military cyber
infrastructure. Cyber Command's service elements include Army Forces
Cyber Command, the Twenty-Fourth Air Force, Fleet Cyber Command and
Marine Forces Cyber Command.
It ensures that the President can navigate and control information
systems and that he also has military options available when defense of
the nation needs to be enacted in cyberspace. Individuals at Cyber
Command must pay attention to state and non-state actors who are
developing cyber warfare capabilities in conducting cyber espionage and
other cyberattacks against the nation and its allies. Cyber Command
seeks to be a deterrence factor to dissuade potential adversaries from
attacking the U.S., while being a multi-faceted department in conducting
cyber operations of its own.
Three prominent events took place which may have been catalysts
in the creation of the idea of Cyber Command. There was a failure of
critical infrastructure reported by the CIA where malicious activities
against information technology systems disrupted electrical power
capabilities overseas. This resulted in multi-city power outages across
multiple regions. The second event was the exploitation of global
financial services. In November 2008, an international bank had a
compromised payment processor that allowed fraudulent transactions to be
made at more than 130 automated teller machines in 49 cities within a
30-minute period.
The last event was the systemic loss of U.S. economic value when an
industry in 2008 estimated $1 trillion in losses of intellectual
property to data theft. Even though all these events were internal
catastrophes, they were very real in nature, meaning nothing can stop
state or non-state actors to do the same thing on an even grander scale.
Other initiatives like the Cyber Training Advisory Council were created
to improve the quality, efficiency, and sufficiency of training for
computer network defense, attack, and exploitation of enemy cyber
operations.
On both ends of the spectrum, East and West nations show a "sword
and shield" contrast in ideals. The Chinese have a more offensive
minded idea for cyber warfare, trying to get the pre-emptive strike in
the early stages of conflict to gain the upper-hand. In the U.S. there
are more reactionary measures being taken at creating systems with
impenetrable barriers to protect the nation and its civilians from
cyberattacks.
According to Homeland Preparedness News, many mid-sized
U.S. companies have a difficult time defending their systems against
cyber-attacks. Around 80 percent of assets vulnerable to a cyber-attack
are owned by private companies and organizations. Former New York State
Deputy Secretary for Public Safety Michael Balboni said that private
entities "do not have the type of capability, bandwidth, interest or
experience to develop a proactive cyber analysis."
In response to cyberattacks on 1 April 2015, President Obama
issued an Executive Order establishing the first-ever economic
sanctions. The Executive Order will impact individuals and entities
("designees") responsible for cyber-attacks that threaten the national
security, foreign policy, economic health, or financial stability of the
US. Specifically, the Executive Order authorizes the Treasury
Department to freeze designees' assets.
According to Ted Koppel's
book, in 2008, the United States in collaboration with Israel, ran a
cyber-attack on Iran's nuclear program, becoming "the first to use a
digital weapon as an instrument of policy".
Consequence of a potential attack
Consequences
can include a multitude of direct and indirect effects. In September
2020, media reported of what may be the first publicly confirmed case of
a civilian fatality as a nearly direct consequence of a cyberattack,
after ransomware disrupted a hospital in Germany.
A whole industry is working to minimize the likelihood and the consequences of a cyberattack.
Many organizations are trying to classify vulnerability and their consequences. The most popular vulnerability database is the Common Vulnerabilities and Exposures.
Once
a cyberattack has been initiated, there are certain targets that need
to be attacked to cripple the opponent. Certain infrastructures as
targets have been highlighted as critical infrastructures in times of
conflict that can severely cripple a nation. Control systems, energy
resources, finance, telecommunications, transportation, and water
facilities are seen as critical infrastructure targets during conflict. A
new report on the industrial cybersecurity problems, produced by the
British Columbia Institute of Technology, and the PA Consulting Group,
using data from as far back as 1981, reportedly has found a 10-fold
increase in the number of successful cyberattacks on infrastructure
Supervisory Control and Data Acquisition (SCADA) systems since 2000. Cyberattacks that have an adverse physical effect are known as cyber-physical attacks.
Control systems
Control
systems are responsible for activating and monitoring industrial or
mechanical controls. Many devices are integrated with computer platforms
to control valves and gates to certain physical infrastructures.
Control systems are usually designed as remote telemetry devices that
link to other physical devices through internet access or modems. Little
security can be offered when dealing with these devices, enabling many
hackers or cyberterrorists to seek out systematic vulnerabilities. Paul
Blomgren, manager of sales engineering at cybersecurity firm explained
how his people drove to a remote substation, saw a wireless network
antenna and immediately plugged in their wireless LAN cards. They took
out their laptops and connected to the system because it wasn't using
passwords. "Within 10 minutes, they had mapped every piece of equipment
in the facility," Blomgren said. "Within 15 minutes, they mapped every
piece of equipment in the operational control network. Within 20
minutes, they were talking to the business network and had pulled off
several business reports. They never even left the vehicle."
Energy
Energy is seen as the second infrastructure that could be attacked. It is broken down into two categories, electricity and natural gas. Electricity
also known as electric grids power cities, regions, and households; it
powers machines and other mechanisms used in day-to-day life. Using US
as an example, in a conflict cyberterrorists can access data through the
Daily Report of System Status that shows power flows throughout the
system and can pinpoint the busiest sections of the grid. By shutting
those grids down, they can cause mass hysteria, backlog, and confusion;
also being able to locate critical areas of operation to further attacks
in a more direct method. Cyberterrorists can access instructions on how
to connect to the Bonneville Power Administration which helps direct
them on how to not fault the system in the process. This is a major
advantage that can be utilized when cyberattacks are being made because
foreign attackers with no prior knowledge of the system can attack with
the highest accuracy without drawbacks. Cyberattacks on natural gas
installations go much the same way as it would with attacks on
electrical grids. Cyberterrorists can shutdown these installations
stopping the flow or they can even reroute gas flows to another section
that can be occupied by one of their allies. There was a case in Russia
with a gas supplier known as Gazprom, they lost control of their central
switchboard which routes gas flow, after an inside operator and Trojan
horse program bypassed security.
Wind farms, both onshore and offshore, are also at risk from cyberattacks. In February 2022, a German wind turbine maker, Enercon,
lost remote connection to some 5,800 turbines following a large-scale
disruption of satellite links. In April 2022, another company, Deutsche
Windtechnik, also lost control of roughly 2,000 turbines because of a
cyber-attack. While the wind turbines were not damaged during these
incidents, these attacks illustrate just how vulnerable their computer
systems are.
Finance
Financial infrastructures could be hit hard by cyberattacks as the financial system is linked by computer systems.
Money is constantly being exchanged in these institutions and if
cyberterrorists were to attack and if transactions were rerouted and
large amounts of money stolen, financial industries would collapse and
civilians would be without jobs and security. Operations would stall
from region to region causing nationwide economic degradation. In the
U.S. alone, the average daily volume of transactions hit $3 trillion and
99% of it is non-cash flow.
To be able to disrupt that amount of money for one day or for a period
of days can cause lasting damage making investors pull out of funding
and erode public confidence.
A cyberattack on a financial institution or transactions may be referred to as a cyber heist. These attacks may start with phishing that targets employees, using social engineering to coax information from them. They may allow attackers to hack into the network and put keyloggers on the accounting systems.
In time, the cybercriminals are able to obtain password and keys
information. An organization's bank accounts can then be accessed via
the information they have stolen using the keyloggers. In May 2013, a gang carried out a US$40 million cyber heist from the Bank of Muscat.
Telecommunications
Cyber
attacking telecommunication infrastructures have straightforward
results. Telecommunication integration is becoming common practice,
systems such as voice and IP networks are merging. Everything is being
run through the internet because the speeds and storage capabilities are
endless. Denial-of-service attacks can be administered as previously
mentioned, but more complex attacks can be made on BGP routing protocols
or DNS infrastructures. It is less likely that an attack would target
or compromise the traditional telephony network of SS7 switches, or an
attempted attack on physical devices such as microwave stations or
satellite facilities. The ability would still be there to shut down
those physical facilities to disrupt telephony networks. The whole idea
on these cyberattacks is to cut people off from one another, to disrupt
communication, and by doing so, to impede critical information being
sent and received. In cyber warfare, this is a critical way of gaining
the upper hand in a conflict. By controlling the flow of information and
communication, a nation can plan more accurate strikes and enact better
counter-attack measures on their enemies.
Transportation
Transportation
infrastructure mirrors telecommunication facilities: by impeding
transportation for individuals in a city or region, the economy will
slightly degrade over time. Successful cyberattacks can impact
scheduling and accessibility, creating a disruption in the economic
chain. Carrying methods will be impacted, making it hard for cargo to be
sent from one place to another. In January 2003 during the "slammer"
virus, Continental Airlines was forced to shut down flights due to
computer problems.
Cyberterrorists can target railroads by disrupting switches, target
flight software to impede airplanes, and target road usage to impede
more conventional transportation methods. In May 2015, a man, Chris
Roberts, who was a cyber consultant, revealed to the FBI that he had
repeatedly, from 2011 to 2014, managed to hack into Boeing and Airbus
flights' controls via the onboard entertainment system, allegedly, and
had at least once ordered a flight to climb. The FBI, after detaining
him in April 2015 in Syracuse, had interviewed him about the
allegations.
Water
Water as an
infrastructure could be one of the most critical infrastructures to be
attacked. It is seen as one of the greatest security hazards among all
of the computer-controlled systems. There is the potential to have
massive amounts of water unleashed into an area which could be
unprotected causing loss of life and property damage. Even water
supplies could be attacked; sewer systems can be compromised too. There
was no calculation given to the cost of damages, but the estimated cost
to replace critical water systems could be in the hundreds of billions
of dollars.
Most of these water infrastructures are well developed making it hard
for cyberattacks to cause any significant damage, at most, equipment
failure can occur causing power outlets to be disrupted for a short
time.
Hospitals
Hospital
as an infrastructure is one of the major assets to have been impacted
by cyberattacks. These attacks could "directly lead to deaths." The
cyberattacks are designed to deny hospital workers access to critical
care systems. Recently, there has been a major increase of cyberattacks
against hospitals amid the COVID-19 pandemic. Hackers lock up a network and demand ransom to return access to these systems. The ICRC and other human rights group have urged law enforcement to take “immediate and decisive action” to punish such cyber attackers.
Cyberweapons are commonly defined as malware agents employed for military, paramilitary, or intelligence objectives as part of a cyberattack. This includes computer viruses, trojans, spyware, and worms
that can introduce malicious code into existing software, causing a
computer to perform actions or processes unintended by its operator.
Characteristics
A cyberweapon is usually sponsored or employed by a state or non-state actor, meets an objective that would otherwise require espionage or the use of force, and is employed against specific targets. A cyberweapon performs an action that would normally require a soldier or spy, and which would be considered either illegal or an act of war if performed directly by a human agent of the sponsor during peacetime. Legal issues include violating the privacy of the target and the sovereignty of its host nation. Example of such actions are surveillance, data theft
and electronic or physical destruction. While a cyberweapon almost
certainly results in either direct or indirect financial damages to the
target group, direct financial gains for the sponsor are not a primary
objective of this class of agent. Often cyberweapons are associated with
causing physical or functional harm to the system which it attacks,
despite being software. However, there is no consensus on what officially constitutes a cyberweapon.
Unlike malware used by script kiddies to organize botnets,
where the ownership, physical location, and normal role of the machines
attacked is largely irrelevant, cyberweapons show high selectivity
in either or both of their employment and their operation. Before the
attack, cyberweapons usually identify the target using different
methods. Likewise, malware employed by fraudsters for the theft of personal or financial information demonstrates lower selectivity and wider distribution.
Cyberweapons are dangerous for multiple reasons. They are
typically difficult to track or defend against due to their lack of
physical components. Their anonymity allows them to hide in systems undetected until their attack is unleashed. Many of these attacks exploit "zero days" (vulnerabilities in software that companies have zero days to fix). They are also significantly cheaper to produce than cyber defenses to protect against them.
Oftentimes, cyberweapons from one force are obtained by an opposing
force and are then repurposed to be used against the original force, as
can be seen with the cyberweapons WannaCry and NotPetya.
While the term cyber weapon is frequently used by the press, some articles avoid it, instead using terms such as "internet weapon", "hack", or "virus". Mainstream researchers debate the requirements of the term while still referring to the employment of the agent as a "weapon", and the software development community in particular uses the term more rarely.
Examples
The
following malware agents generally meet the criteria above, have been
formally referred to in this manner by industry security experts, or
have been described this way in government or military statements:
Stuxnet was among the first and one of the most influential cyberweapons. In 2010, it was launched by the United States and Israel to attack Iranian nuclear facilities. Stuxnet is considered to be the first major cyberweapon. Stuxnet was also the first time a nation used a cyberweapon to attack another nation. Following the Stuxnet attacks, Iran used cyberweapons to target top American financial institutions, including the New York Stock Exchange.
Stuxnet was subsequently followed by Duqu in 2011 and Flame in 2012. Flame's complexity was unmatched at the time. It used vulnerabilities in Microsoft Windows to spread. It specifically targeted Iranian oil terminals.
In 2017 data breaches
showed that supposedly secure hacking tools used by government agencies
can be obtained − and sometimes exposed − by third parties.
Furthermore, it was reported that after losing control of such tools the
government appears to leave "exploits open to be re-used by scammers,
criminals, or anyone else − for any purpose".
Claudio Guarnieri, a technologist from Amnesty International
states: "what we learn from the disclosures and leaks of the last
months is that unknown vulnerabilities are maintained secret even after
they've been clearly lost, and that is plain irresponsible and
unacceptable".
Also in that year WikiLeaks released the Vault 7 documents series that contain details of CIA exploits and tools with Julian Assange stating that they are working to "disarm" them before publication.Disarmament of cyber weapons may come in the form of contacting
respective software vendors with information of vulnerabilities in their
products as well as potential help with or autonomous development (for open source software) of patches.
The exploitation of hacking tools by third parties has particularly
affected the United States National Security Agency (NSA). In 2016,
information about NSA hacking tools was captured by a Chinese hacking
group, ATP3, that allowed them to reverse engineer their own version of
the tool. It was subsequently used against European and Asian nations,
though the United States was not targeted. Later that year, an anonymous group called the "Shadow Brokers" leaked what are widely believed to be NSA tools online.
These two groups are not known to be affiliated, and ATP3 had access to
the tools at least a year before the Shadow Brokers leak. The leaked tools were developed by the Equation Group, a cyberwarfare group with suspected ties to the NSA.
Among the tools leaked by the Shadow Brokers was EternalBlue, which the NSA had used to exploit bugs in Microsoft Windows. This prompted Microsoft to issue updates to guard against the tool.
When the Shadow Brokers publicly released EternalBlue, it was quickly
used by North Korean and Russian hackers, who formed it into the
ransomware WannaCry and NotPetya,
respectively. NotPetya, which was initially launched in Ukraine but
subsequently spread around the world, encrypted hard drives and forced
users to pay a ransom fee for their data, despite never actually giving
the data back.
In September 2018, the United States Department of Defense
officially confirmed that the United States uses cyberweapons to advance
national interests.
Potential Regulations
While there has been no full regulation of cyberweapons, possible systems of regulation have been proposed.
One system would have cyberweapons, when not being used by a state,
subject to criminal law of the country and, when being used by a state,
subject to international laws on warfare. Most proposed systems rely on international law and enforcement to stop the inappropriate use of cyberweaponry.
Considering the novelty of the weapons, there has also been discussion
about how previously existing laws, not designed with cyberweapons in
mind, apply to them.
