ENISA Threat Landscape 2014: Top Cyber Threats Analyzed

Overview of ETL 2014

Discuss about the ENISA Threat Landscape 2014.

Information security landscape during the period 2014 – 2015 witnessed a wide range of information security threats and breaches which forced significant changes in IT security landscape. The ENISA Threat Landscape 2014 report compiles information threats encountered and recorded for this period and provides details on top threats encountered, increased complexities in attacks, coordinating internationally for successful handling of threats by law enforcement agencies and security vendors.  ETL 2014 assesses cyber threats by collating and analyzing publicly available information to produce this case study report. One of the main contributions in this report is the identification of top threats in this reporting period. The ETL 2014 provides high-level information about cyber threats and emerging technologies and provides a good beginning on the subject of threat intelligence for non-experts.

European Union Agency for Network and Information Security (ENISA) an European Agency with principles that focus on network and information security expertise for EU member states. ENISA develops recommendations on information security good practices to provide expertise to both private sector and Europe’s citizens by focusing on network, data protection, and information security. The ENISA Threat Landscape (ETL) 2014 report covers the threat information and analysis of IT security threats for the period December 2013 to December 2014. ETL 2014 is a continuation of the 2012-2013 report on threat assessment.

In the report, ETL 2014 case study is analyzed along with providing the flow of information between threat analysis and relevant stakeholders, and provides information on use-cases for threat intelligence. The report analysis top 15 cyber-threats assessed in 2014, with reference to resources found, along with the role of each threat. An overview of threat agents is provided with profiles and references to recent developments observed for each threat agent group in the reporting period. New details on attack vectors provide an explanation on typical attack scenarios along with steps to complement the content by providing brief information on how of a cyber-attack. The report provides details on the technology areas that can be impacted by threats. The ongoing developments in those areas can influence attackers to achieve their aims, but the defenses envisaged for implementation to overcome attacks are examined. Finally, the report concludes by providing a summary of interesting problems faced within the threat analysis and future thoughts.  The ETL 2014 report focuses on making significant contributions to the implementation of cyber security strategy for EU by using available information and consolidating them for use by security experts.

Diagram for ENISA security infrastructure

Insider threats result in a data breach in the organization. According to Computer Emergency Response Team (CERT), a malicious insider can be a current or former employee, a business partner or contractor having access to data and networks in the organization. The insider has maliciously used the data and information in ways that affect confidentiality, integrity or privacy of the organization’s information systems (Silowash, Cappelli, Moore, Trzeciak, Flynn, & Shimeall, 2012). At the same time, the malicious insider activities result in confidential information being compromised. Insider threats can also be due to errors, mistakes or unintentional displacement of information (Karsberg, Skouloudi, & Dekker, 2013). Insider threats can arise due to negligent insiders, malicious insiders, and compromised insider.

Given below are some strategies to prevent insider threats:

Inadequate Controls: Insider threat is mainly due to inadequate technical controls (web traffic, analytics, internet logs, unauthorized access, etc.). These threats must be handled beyond the technology solutions by providing awareness, employee guidance, and here HR can play a role in explaining policies related to information usage in the organization.

Identify user behaviour: A user may inadvertently tend to bypass access rights, or by available knowledge of inside regarding existing security controls. The security experts in the organization must be able to recognize an internal adversary and check user behavior to detect data usage patterns in the system and identify dissatisfaction (Herring, 2014).

Trustworthiness: Insider threats are due to the destructive and constructive power of trust. Usually, an employee must be evaluated for his/her trustworthiness in the organization.

Evaluating IT risks: A comprehensive risk assessment must be established in the organization to prevent insider threats. In fact, the risk assessment must provide procedures for a combination of insider and external threat agents, which is often overlooked by organizations (Security, 2013) .

Risk Monitoring: In addition to the above, detection mechanisms include the use of network monitoring tools and analysis of system logs. Forensically logging user communication on the network is another useful way of identifying insider threats.

It is important to note that insider threats are more difficult to identify immediately and hence adequate security measures must be focused in this area.

From the ETL 2014 report, “Identity theft/fraud” is regarded as a top threat because this is often characterized as an attack vector which collects user identity information such as personal profiles, credit card information along with passwords, access codes, etc. The ETL 2014 report highlights identity theft/fraud is on the rise across all emerging technologies. Identity theft makes use of Personal Identifying Information (PII) to impact individuals. PII can result in data breach which is proved to be an ultimate in consumer issue as the individual is compromised. Identity theft mostly occurs in financial transactions and identification information where consumers feel their identity is stolen and misused for fraud. The consumer on his/her part reports the issue with the competent authority to stop misuse of their identification information (FTC, 2014). Identity theft/fraud is regarded as the most significant security issue worldwide because of the following reasons:

Identifying significant 'Top threat' and justifications

Identity theft is growing constantly which is leading to consumer mistrust in using online transactions and digital means of performing online transactions. As of 2014, over 50% of consumers have reported issues of their identity misuse or are victims of this threat (Inscoe, 2014).

This can be further ratified by regular news and reports on computer-related fraud in the areas of financial, banking, healthcare, point-of-sale (POS) systems and so on. Identity theft issue challenges the trust and protection offered by service providers, mainly e-commerce systems, banking and insurance and so on.

Identity theft and fraud have a significant economic impact on communities as a whole. For instance, the total money lost by victims can run up to millions of dollars which are quite substantial for under-developed countries. In fact, statistics obtained from the Consumer Awareness Survey show that over 86% of consumers have expressed concern about sending their personal information on the internet, and 59% respondents have emphasized the need for more robust systems to ensure user privacy, confidentiality, and protection of individual identity (Saini, Rao, & Panda, 2012).

Identity theft and fraud directly implicates the user to result in psychological impact. Users have the fear of crime, which implies the stolen personal information can be used for criminal activity and the user can be victimized or face criminal activity. The other psychological impact can be the fear of financial losses, damage to reputation, online privacy loss and so on (Hille, Walsh, Brach, & Dose, 2011).

Business firms are also likely to lose reputation and especially identity fraud I the area of healthcare is on the rise, especially in the USA, where 2 million American citizens will likely spend 12 billion dollars because of identity theft (Ponemon, 2014).

In a recent study by Javelin Strategy & Research shows identity theft and fraud is on the rise as their survey showed 13.1 million US consumers were victims in 2015 compared to 12.7 million consumers in the year 2014 (Pascual, Marchini, & Miller, 2016).

Based on the above statistics it can be seen that identity theft and fraud is regarded as the top threats in the years and calls for a need for adequate measures in mitigating this attack.

In cyber-crime, a threat agent is referred to an individual or group that can demonstrate a threat. The ETL 2014 report explains the role played by threat agents and ways to minimize their impact. The ETL 2014 report ranks threat agents according to their attribution statistics found during the report’s review period. Some of the notable threat agents found in the report include,

Cybercriminals: These threat agents make use of high-performance computing systems and are highly skilled and equipped. The main objective of cyber criminals is to make profits from illegal/criminal activities on the internet.

Prevention: Cyber criminals can be prevented by keeping the computer system up to date, securing configurations of the system, using strong passwords, deploying firewalls, installing latest anti-virus software and protecting user information.

Online Social Hackers: This type of threat agents are skilled in social engineering as they analyze the behavior and psychology of social targets, thus snooping over potential victims. Normally threat agents are found in social networking sites on the internet and make use of phishing attack methods.

Prevention: Online social hackers can be stopped by becoming aware of sharing personal information with strangers, using strong passwords, not disclosing passwords to strangers and others. Companies having social media presence can limit the number of employees from using their social media presence (Hys, 2016).

Hacktivists: Hacktivists threat agent group are politically motivated activists. They focus more on propaganda and influence political decision making. They lack any central organization structure and influence political decisions. Their actions are defacing websites, hacking, DDoS, information leakage, etc. They can be active during situations like internal unrest, riots, major events having international attention, etc.

Prevention: Hacktivists can be managed by eliminating standalone systems with passwords and ensure rotation of passwords or multi-factor authentication can minimize the risk of compromise (Vecchi, 2014).

Employees: Employees can be current, ex or internal or external, can be motivated to damage information systems because of their dissatisfaction or revenge to result in data breaches. These threats are high and security experts must identify unhappiness and prevent the system from being abused.

Prevention: Deploying intrusion detection systems, establishing access controls as appropriate for employee levels, and having policies for preventing employees who have left and identifying user behaviour can be some strategies for preventing employee threat.

Therefore threats can be either data or access oriented. Security experts must ensure adequate security measures to overcome threats from different threat agents.

There has been a growing dependency on social media sites for sharing information and updates with connected friends and groups. Social media is mostly used by people in the age group 15 – 30 years. At the same time, privacy concerns are explained by experts by showing examples on how popular sites like Facebook and Twitter have affected users because of weak privacy policies (Gangopadhyay & Dhar, 2014). Social media sites allow everyone to do anything which makes it vulnerable and easy for hackers (Reld, 2014).

Social hacking issues can result due to its open nature, people can create and exchange user-generated content (Kaplan & Haenlein, 2010). There are millions of active users in social media and social hacktivist threat agents are mostly interested in gaining individual personal information from users on these sites. Such information is available easily to huge audience and communities. In fact, social media platform allow users to spread information for gaining attention from other scarce users (Romero, Galuba, Asur, & Huberman, 2011). Social media influences participatory behavior in individuals and this can help to influence offline behavior by target agents (Bond, et al., 2012). Many researchers claim that social influence can guide individual actions as a result of interactions and is a natural process to change a person’s attitude and behavior (Hillman & Trier, 2013). In addition to the above, (Lee, Shi, Cheung, Lim, & Sia, 2013) explain the issue of social influence due to information overload. Under this influence, people tend to share personal information or accept information or advice from unknown users who may not have met before. This could be an issue and can exploit a user to venture into some malicious activity which can be highly risky. All these aspects in social networking sites provide the potential to threat agents to influence individual behavior and swipe personal information for their own vested interests.

This discussion has reference to Table 2, from ETL 2014 report. From Table 2, it can be found that top threats in the reporting period for 2014 are shown with their ranking on whether the identified threat is increased, decreased or remains constant compared to the previous year. From the table 2,

Malicious code (worms/Trojans) is found to increase and there is no change in ranking compared to previous reporting period (2013). Hence the probability of this threat is likely to increase in 2014.

Web-based attack trends are going up while the ranking a decline in 2014. The probability of this attack is likely to decline in the coming years.

A web application or injection attack trends are increasing which is the same as in 2013, but the ranking is the same.

Exploit kit trends indicate a decline 2014 compared to its increase in 2013. The rank for this trend is also going down. Exploit kits show the probability of decline from 2014 onwards.

Botnet attacks have remained stable during 2013 and trends in 2014 show a decline, whereas the rank is going upwards in 2014 which shows botnet attacks will decline in the coming years.

Denial of service attacks shows an upward trend in both the reporting periods and the rank in 2014 indicates increased DoS attacks. The probability of DoS is likely to increase from 2014 onwards.

Trends related to physical damage/theft/loss show an increase in 2014 and in 2013. The rank for this threat in 2014 seems to decrease.

Trends in identity theft/fraud show increased trends in 2013 and 2014, but the rank in 2014 is found to decrease. The probability of this trend will increase.

Phishing attack trend is on the rise in both years, and rank is going up in 2014. Phishing attacks can increase in the coming years.

Spam attacks show a stable trend in 2013 whereas the trend in 2014 shows a decline. However, the ranking for spam in 2014 is upwards.

Data breaches show upward trends for both the years and increased rank in 2014.

Information leakage trends are found to be increasing in 2013 and also in 2014 with rank going up in this reporting period.

Trends in Rogueware/Ransomware/Scareware show increases in 2013, whereas a decline in 2014. The rank in 2014 for this threat is going down. The probability of this threat is likely to decline from 2014 onwards.

Cyber espionage attacks trend show an increase for both the years, whereas the rank for this threat in 2014 is same.

The probability of insider threat is likely to remain the same in 2014.

The ETL 2014 report can be improved by including security systems and solutions available to thwart threat agents. For instance, the report highlights the type of approaches followed by threat agents, whereas it does not provide existing solutions already in practice and deployed to mitigate a particular type of threat agent. The report can also include real-time examples to demonstrate the type of threat for its implication, and the measures security experts can consider in preventing the same type of threat in their organization. Information threats are becoming complex with latest technology developments, threat agents are also equally prepared to exploit vulnerabilities in new technologies being adopted by organizations worldwide. From the ETL report, I find a tremendous amount of work is made to summarize threats and security issues under different categories and classify them according to their impact. Though this report is focused only on EU member states, the same can be initiated in other continents/countries to have a comprehensive picture of global threat landscape which can help security experts to understand IT threats, because, in the current world-wide-web scenario, threats cannot be confined to one continent or location.

This has reference to Table 10 in ETL 2014. From Table 10 it can be found that all the threat types mentioned show an increase or upward trend. Some threats could be most challenging in the years. For instance, DoS attacks can be motivated by political hackers to deny access and to deny information to certain groups. For example, terrorist groups can initiate a DoS attack to prevent certain communities from getting important information. The threat of terrorism can be a reason for DoS attacks in some states. DoS attack may be used by hackers to prevent user logins. While DoS is active, hackers already have gained supervisor access to servers and systems and transferring data. 

The next important threat identified is an insider threat. Insider threat can cause more damage forcing the organization to compromise in some instances compared to an external attack.  This is because an insider or an ex-employee is more aware of the organization’s systems and can anticipate the security practices followed to overcome them.

Identity theft/fraud is another threat which can increase in the coming years, as more and more users are performing financial transactions on the internet. In addition to computers, there is an increase in mobile users and hence the attacks can definitely increase in the coming years. Adequate security measures are required to prevent identity theft and fraud for all IT and mobile users. This is another challenging area for security experts.

ENISA can be satisfied because the report provides details on information security aspects, provide classifications on the type of threats in information systems areas and provides a realistic comparison of threats based on information gathered in the previous year. At the same time, the current state of IT security needs to harden because the type of threats and their complexity is increasing day-by-day. ENISA can further provide analysis to show the effectiveness of security systems available to mitigate different attack types.

Conclusions

In this report the ETL 2014 report is analyzed to understand the current threat landscape in information security. The analysis covers the overview of the report followed by an illustration of the security frameworks followed in ENISA. The section on insider threats rovides strategies to monitor threats arising due to employees. The top threat regarded in this report is identity theft/fraud which is explained in detail. The section on threat agents provides discussions on the role of threat agents and prevention measures. A brief review of literature is provided for social hacking issues and trends in threat possibility is discussed. The improvements for ETL processes are also discussed followed by discussions on most challenging threats in the coming years followed by the current state of IT security enumerated in ETL.

References

Bond, R., Fariss, C., Jones, J., Kramer, A., Marlow, C., Settle, J. E., et al. (2012). A 61-million-person experiment in social influence and political mobilization . Nature , 295-297.

FTC. (2014). Consumer Sentinel Network Data Book,January- December 2013. USA: Federal Trade Commission.

Gangopadhyay, S., & Dhar, D. (2014). Social Networking sites and privacy issues concerning youths. Global Media Journal-Indian Edition , pp. 1-5.

Herring, C. (2014). Dealing with Insider Threats. Retrieved September 12, 2016, from LANCOPE: https://www.lancope.com/blog/slic/dealing-with-insider-threats

Hille, P., Walsh, G., Brach, S., & Dose, D. (2011). Why online identity theft poses a major threat to e-business. In: Proceedings of the ACM WebSci'11, (pp. 1-2).

Hillman, R., & Trier, M. (2013). Influence and dissemination of sentiments in social network communication patterns. Proceedings of the 21st European Conference on Information Systems.

Hys, L. (2016). How to Help Prevent a Social Media Hack. Retrieved September 2016, 13, from SecurityIntelligence. Analysis and Insight for Information Security Professionals: https://securityintelligence.com/how-to-prevent-a-social-media-hack/

Inscoe, S. (2014). Global Consumers: Losing Confidence in the Battle Against Fraud. Boston, USA: Aite Group LLC.

Kaplan, A., & Haenlein, M. (2010). Users of the world, unite! The challenges and opportunities of Social Media. Business horizons , 59-65.

Karsberg, C., Skouloudi, C., & Dekker, M. (2013). Annual Incident Reports 2013. Analysis of Article 13a annual incident reports. Heraklion, Greece: European Union Agency for Network and Information Security (ENISA).

Lee, M., Shi, N., Cheung, C. M., Lim, K. H., & Sia, C. (2013). Consumer's decision to shop online: The moderating role of positive informational social influence. Information & Management , 48 (6), 185-190.

Pascual, A., Marchini, K., & Miller, S. (2016). 2016 Identity Fraud: Fraud Hits an Inflection Point. CA, USA: Javelin Strategy & Research, a Greenwich Associates LLC company.

Ponemon. (2014). Fourth Annual Benchmark Study on Patient Privacy and Data Security. UYSA: Ponemon Institute LLC.

Reld, T. (2014). Social Hacking For Introverts. Retrieved September 12, 2016, from HackerSpace: https://hackerspace.kinja.com/social-hacking-for-introverts-1554859929

Romero, D., Galuba, W., Asur, S., & Huberman, B. (2011). Influence and passivity in social media. International World Wide Web Conference (WWW’11).

Saini, H., Rao, Y., & Panda, T. (2012). Cyber crimes and their impacts: A Review. International Journal of Engineering Research and Applications (IJERA) , 2 (2), 202-208.

Security, H. (2013). National Risk Estimate: Risks to U.S. Critical Infrastructure from Insider Threat. USA: National Protection and Programs Directorate, Office of Infrastructure Protection, Integrated Analysis Task Force, Homeland Infrastructure Threat and Risk Analysis Center.

Silowash, G., Cappelli, D., Moore, A., Trzeciak, R., Flynn, L., & Shimeall, T. (2012). Common Sense Guide to Mitigating Insider Threats, 4th Edition. MA, USA: Sofware Engineering Institute. Carnegie Mellon University.

Vecchi, J. (2014). Advanced Threat Protection & Visibility: Hacktivists. Retrieved September 13, 2016, from SECURITYWEEK: https://www.securityweek.com/advanced-threat-protection-visibility-hacktivists.