D7: Security Operations Flashcards
Incident Scene
- ID the scene
- Protect the environment
- ID evidence and potential sources of evidence
- Collect evidence - hash +
- Minimize the degree of contamination
Locard’s Exchange Principle - perps leave something behind
Evidence Types
- Sufficient: persuasive enough to convince one of its validity
- Reliable: consistent with fact, evidence has not been tampered with or modified
- Permissible: lawful obtaining of evidence, avoid; unlawful search and seizure, secret recording, privacy violations, forced confessions, unlawful obtaining of evidence
- Preserved and Identifiable: collection; reconstruction
Identification: labeling, recording serial number, etc.
Evidence must be preserved and identifiable
*Collection, documentation, classification, comparison, reconstruction
Evidence Lifecycle
- Discovery
- Protection
- Recording
- Collection and Identification
- Analysis
- Storage, preservation, transportation
- Present in Court
- Return to Owner
Witnesses that evidence are trustworthy - description of procedures, normal business method collections, error precaution and correction
Best Evidence
- Primary Evidence - is used at trial because it is the most reliable.
- original documents are used to document things such as contracts
- NO COPIES!!!!
- Oral is not the best evidence though it may provide interpretation of documents
Secondary Evidence
- Not as strong as Primary
- it is not permitted if the Best Evidence is available
- Oral evidence (like witness testimony)
Direct Evidence
- Direct evidence can prove a fact by itself and does not need any type of backup evidence.
- Does NOT need other evidence to substantiate.
- Testimony from a witness - one of their 5 senses.
- Oral evidence is a type of secondary evidence so the case can’t simply stand on this alone.
Conclusive Evidence
- irrefutable and cannot be contradicted
- requires no other corroboration
Circumstantial Evidence
- used to help assume another fact
- cannot stand on it’s own to directly prove a fact
Corroborative Evidence
- supports or substantiates other evidence presented in a case
Hearsay Evidence
- something a witness hears another one say.
- business records are hearsay and all that is printed or displayed
- EXCEPTION: audit trails and business records when the documents are created in normal course of business
Interviewing
Gather facts and determine the substance of the case
Interrogation
Evidence retrieval method, ultimately obtain a confession
The Process / Due Process
Involves:
- prep of questions and topics
- puts witness at ease
- summarize information or interview/interrogation plan
Other Notes:
- have one person as lead and 1-2 others involved as well
- never interrogate or interview alone
Opinion Rule
Requires witnesses to testify only about the facts of the case, cannot be used as evidence in the case
*context - Federal Rules of Evidence (FRE), a court will permit a person who isn’t testifying as an expert to testify in the form of an opinion if it’s both rationally based on their perception and helps to explain the witness’s testimony
Expert Witnesses
Used to educate the jury and can be used as evidence
Six Principles for Digital Evidence Technicians
- When dealing with digital evidence, all general forensic and procedural principles must be applied
- Upon seizing digital evidence, actions taken should not change the evidence
- When it is necessary for a person to access original digital evidence, that person should be trained for that purpose.
- All activity relating to the seizure, access, storage, or transfer of digital evidence must be fully documented, preserved and available for review.
- An individual is responsible for all actions taken with respect to digital evidence while the evidence is in their possession
- Any agency responsible for seizing, accessing, storing or transferring digital evidence is responsible for compliance with these principles.
Media Analysis
Identification and extraction of information from storage media. May include:
- Magnetic Media - hard disks, tapes
- Optical Media - CDs, DVDs, Blu-ray discs
- Memory - RAM, solid state storage
Techniques used for media analysis may include:
- recovery of deleted files from unallocated sectors of the physical disk
- the live analysis of storage media connected to a computer system (esp. useful when examining encrypted media)
- the static analysis of forensic images of storage media.
Software Analysis
Forensic review of applications or the activity that takes place within a running application.
May need to review and interpret log files from application or database servers, seeking other signs of malicious activity, such as SQL injection attacks, privilege escalations, or other application attacks.
When malicious insiders are suspected, the forensic analyst may be asked to conduct a review of software code, looking for back doors, logic bombs or other vulns.
Hardware / Embedded Device Analysis
Forensic analysts often must review the contents of hardware and embedded devices.
This may include a review of personal computers & smartphones
Admissible Evidence
- The evidence must be relevant to determining a fact, and the fact must be material/related to the case
- Evidence must have been obtained legally aka competent
- Evidence that results from an illegal search would be inadmissible because it is not competent.
Five Rules of Evidence
- Be authentic - evidence ties back to the scene
- Be accurate - maintain authenticity and veracity
- Be complete - all evidence collection, for and against view
- Be convincing - clear & easy to understand for jury
- be admissible - be able to be used in court
Forensic Disk Controller
Write blocking - intercepts write commands sent to the device and prevents them from modifying data on the device
Return data requested by a read operation
Return access-significant information from device
Reporting errors from device to forensic device.
LOGS TAKEN IN NORMAL COURSE OF BIZ
MOM
Means, opportunity and motive
Victimology
Why certain people are victims of a crime, and how lifestyle affects the chances that a certain person will fall victim to a crime investigation
Investigation Types
Operational
Criminal
Civil
eDiscovery
Slack Space
Slack space on a disk should be inspected for hidden data and should be included in Disk Image
3 Branches of Law
Legislative: writing laws (statutory laws)
Executive: enforces laws (administrative laws)
Judicial: Interpret laws (common laws from court decisions)
Criminal Law
Individuals that violate government law
Punishment mostly imprisonment
Civil Law
Wrongs against individual or organization that result in a damage or loss.
Punishment can include financial penalties
Tort Law (I’ll Sue You!) Jury will decide liability
Administrative/Regulatory Law
How the industries, organizations and officers have to act.
Wrongs can be penalized with imprisonment or financial penalties
Uniform Computer Information Transactions Act (UCITA)
Federal Law that provides a common framework for the conduct of computer-related business transactions.
UCITA contains provisions that address software licensing
The terms of UCITA give legal backing to the previously questionable practivies of shrink–wrap licensing by giving them status as legally binding contracts
Uniform Computer Information Transactions Act (UCITA)
Federal Law that provides a common framework for the conduct of computer-related business transactions.
UCITA contains provisions that address software licensing
The terms of UCITA give legal backing to the previously questionable practices of shrink–wrap licensing by giving them status as legally binding contracts
3 Types of Harm of Computer Crimes
- Unauthorized intrusion
- Unauthorized alteration or destruction
- Malicious Code
Admissible evidence
relevant, sufficient, reliable, does not have to be tangible
Enticement
the legal action of luring an intruder, like in a honeypot
Entrapment
the illegal act of inducing a crime, the individual had no intent of committing the crime at first
Federal Sentencing Guidelines
provides judges and courts procedures on the prevention, detection and reporting
Security Incident and Event Management (SIEM)
Automating much of the routine work of log review
Provides real-time analysis of events occurring on systems throughout an organization but don’t necessarily scan outgoing traffic.
Intrusion
Occurs when an attacker is able to bypass or thwart security mechanisms and gain access to an organization’s resources.
Intrusion Detection
A specific form of monitoring that monitors recorded information and real-time events to detect abnormal activity indicating a potential incident or intrusion.
Intrusion Detection System (IDS)
Automates the inspection of logs and real-time
system events to detect intrusion attempts and system failures.
An effective method of detecting many DoS and DDoS attacks
Can recognize external attacks e.g. from the internet or attacks that spread internally like a malicious worm.
Detections will trigger alarms and alerts, and sometimes will modify the environment to stop an attack
IDS is part of defense-in-depth security plan - it will work with, and complement other security mechs like firewalls, but it does not replace them.
Intrusion Prevention System IPS
Intrusion prevention system includes all capabilities of an IDS, but can also take additional steps to stop or prevent intrusions - admins can disable the features of an IPS, and it becomes an IDS
Data Loss Prevention (DLP)
Data loss prevention systems attempt to detect and block data exfiltration attempts.
The systems have the capability of scanning data looking for keywords and data patterns.
Can look for sensitive information stored on hard drives
Network-based DLP
Scans all outgoing data looking for spec ific data.
Admin would place it on the edge of the negative to scan all data leaving the organization
If a user sends out a file containing restricted data, the DLP system will detect and prevent it from leaving the organization
The DLP system will send an alert such as an email to an administrator
Endpoint-based DLP
Can scan files stored on a system as well as files sent to external devices such as printers
An organization endpoint-based DLP can prevent users from copying sensitive data to USNB flash drives or sending sensitive data to a printer
3 states of information
Data at rest (storage)
Data in transit (the network)
Data being processed (must be decrypted) / in use / end point
Configuration Item (CI)
Component whose state is recorded
Version: recorded state of the CI
Configuration
Collection of component CI’s that make another CI
Building
Assembling a version of a CI using component CI’s
Building list
Set of versions of component CI’s used to build a CI software library CI software library
CI Software Library
Controlled area only accessible for approved users
Recovery Procedures
System should restart in secure mode
Startup should occur in maintenance mode that permits access only by privileged users from privileged terminals
Fault-tolerant
Continues to function despite failure
Fail Safe System
Program execution is terminated and system protected from compromise when hardware or software failure DOORS usually
Fail Closed/Secure
The most conservative from a security perspective
Fail Open
????
Fail Hard - BSOD
Human to see why it failed??
Fail Soft or Resilient System
Reboot, selected, non-critical processing is terminated when failure occurs
Failover
Switches to hot backup
Fail Safe vs. Fail Secure
FAIL SAFE: doors UNLOCK
FAIL SECURE: doors LOCK
Trusted Path
Protects data between users and a security component
Channel established with strict standards to allow necessary communication to occur without exporing the TCB to security vulnerabilities
A trusted path also protects system users (sometimes known as subjects) from compromise as a result of a TCB intechange
ONLY WAY TO CROSS SECURITY BOUNDARY RIGHT WAY
Security Events vs. Security Incidents vs. Security Intrusion
Events: anything that happens; can be documented verified and analyzed.
Incidents: event(s) that adversely impact the ability of an organization to do business. A suspected attack
Intrusion: evidence attacker attempted or gained access to
Incident Response Lifecycle
Official:
Detection, Response, Mitigation, Reporting, Recovery, Remediation, Lessons Learned
Unofficial:
Response Capability: policy, procedures, a team
Incident Response and Handling: triage, investigation, containment and analysis tracking
Recovery: Recovery or repair
Debriefing / Feedback: External Communications
Mitigation: limit the effect or scope of an incident
Root Cause Analysis (RCA)
COME BACK TO AFTER READING
HIDS
Host Based IDS
Monitors activity on a single computer, including process calls and information recorded in firewall logs.
It can often examine events in more detail than NIDS can, and it can pinpoint specific files compromised in an attack.
It can also track processes employed by the attacker
A benefit of HIDS over NIDS is that HIDS can detect anomalies on the host system that NIDS cannot detect
NIDS
Network-IDS
Monitors and evaluates network activity to detect attacks or event anomalies
It cannot monitor the content of encrypted traffic but can monitor other packet details
A single NIDS can monitor a large network by using remote sensors to collect data at key network locations that send data to a central management console.
Full Backup
All files, archive bit and modify bit are cleared
Pro: only previous day needed for full restore
Con: Time consuming
Incremental Backup
Only modifies files and archive bit is cleared
Pro: Least time and space
Con: must first restore full and then all incremental backups > makes it less reliable because it depends on more components
Differential Backup
Only modifies files, and does not clear archive bit
Pro: Full and only last diff needed, intermediate time between full and diff
Redundant Servers
Applies raid 1 mirroring concepts to servers
On error servers can do a failover > aka server fault tolerance
Server Clustering
Group of independent servers which are managed as a single system
All servers are online and take part in processing service requests
Individual computing devices on a cluster vs. a grid system — cluster devices all share the same OS and application software but grid devices can have different OSs while working on same problem
Tape Rotation Schemes
COME BACK TO AFTER READING
RAIT
Robotic mechanisms to transfer tapes between storage and drive mechanisms
Mutual Aid Agreements
AKA Reciprocal agreement
Arrangement with another similar corporation to take over the processes
Pro: cheap
Con: must be exactly the same, is there enough capability, only for short term and what if disaster affects both corporations? Not enforceable
DR - Subscription Services
Third party, subscription servers provide alternate backups and processing facilities
Most common of implementations
Redundant
Mirrored Site, potential zero down time
Hot Site - Internal/External
Fully configured computer facility
All applications are installed, up-to-date and mirror of the production system
Extremely urgent critical transaction processing
Pro: 24/7 availability and exclusive use are assured - short and long term
Con: extra admin overhead, costly, security controls needs to be installed at the remote facility too
Exclusive to one company hours to be up??
Warm Site
Cross between hot and cold site
The computer facility is available but the applications may not be installed or need to be configured.
External connections and other data elements that take long time to order are present
Workstations have to be delivered and data has be restored
Pro: Less costly, more choice of location, less admin resources required
Con: it will take some time start production processing Nonexclusive and 12 hours to be up
Cold Site
Least ready but most commonly used
Has no hardware installed, only power and HVAC
Pro: Cost, ease of location choice, non-exclusive
Con: very lengthy time of restoration, false sense of security but better than nothing
Service Bureau
Contract to fully backup processing services
Pro: quick response and availability, testing is possible
Con: expense and it is more of a short time option
Multiple Centers/Dual Sites
Processing is spread over several computer centers
Can be managed by the same corporation (in house) or with another organization (reciprocal agreement)
Pro: costs, multiple sites will chare resources and support
Con: a major disaster could affect both sites, multiple configurations have to be administered
Rolling/Mobile Sites
Mobile homes or HVAC trucks
Could be considered a cold site
In-House or External
Supply of hardware replacements
Stock of hardware either onsite or with a vendor
May be acceptable for warm site but not for hot site
Prefabricated building
A very cold site
RAID Levels
RAID 0: Striped - one large disk out of several; improved performance but no fault tolerance
RAID 1: Mirrored - drives, fault tolerance from disk errors and single disk failure, expensive; redundancy only, not speed
RAID 2: not used commercially; Hammering Code Parity/error
RAID 3: Striped on byte level - extra parity drive; improved performance and fault tolerance, but parity drive is a single point of failure and write intensive. 3 or more drives
RAID 4: same as RAID3, but striped on block level; 3 or more drives
RAID 5: Striped on block level, parity distributed over all drives; requires all drives but one to be present to operate hot-swappable. Interleave parity, recovery control; 3 or more drives
RAID 6: Dual Parity, parity distributed over all drives - requires all drives but two to be present to operate hot-swappable
RAID 7: is the same as RAID 5 but all drives act as one single virtual disk
Backup Storage Media
Tape: sequential, slow read, fast write 200GB an hour, historically cheaper than disk (now changing), robotic libraries
Disk: fast read/write, less robust than tape
Optical Drive: CD/DVD. Inexpensive
Solid State: USB drive, security issues, protected by AES
MTTF - mean time to failure
MTTR - mean time to repair
MTBF - mean time between failures (useful life) = MTTF + MTTR
JBOD - most basic type of storage
Electronic Vaulting
Transfer of backup data to an offsite storage location via communication lines
Remote Journaling
Parallel processing of transactions to an alternative site via communication lines
Database shadowing
Live processing of remote journaling and creating duplicates of the database sets to multiple servers
Object reuse
Use again after initial use
Data remanence
Remaining data after erasure; format magnetic media 7 times (orange book)
Clearing
Overwriting media to be reused
Purging
Degaussing or overwriting to be removed
Destruction
Complete destruction, preferably by burning
Disaster Recovery End Goal
Restore normal business operations
Statement of actions that have to be taken before, during and after a disruptive event that causes a significant loss of information
Goal: provide organized way for decision making, reduce confusion and deal with crisis
Planning and development must occur before the disaster
BIA has already been completed prior - now it is time to protect
Disaster
Any event, natural or manmade, that can disrupt normal IT operations
The disaster is not over until all operations have been returned to their normal location and function
It will be officially over when the data has been verified at the primary site, as accurate
Recovery Team
Mandated to implement recover after the declaration of the disaster
Salvage Team
Goes back to the primary site to normal processing environmental conditions
Clean, repair, salvage
Can declare when primary site is available again
Normal Operations Resume Plan
Has all procedures on how the company will return processing from the alternate site
Other Recovery Issues
Interfacing with other groups: everyone outside the corporation
Employee Relations - responsibility towards employees and families
Fraud and Crime: like vandalism, looting and people grabbing the opportunity
Financial reimbursement?? / Media Relations
- find someone to run it
Documenting the Disaster Recovery Plan
- activation and recover procedures
- plan management
- HR involvement
- costs
- required documentation
- internal / external communications
- detailed plans by teams
**get communications up first, then most critical business functions
Desk Check
review plan contents
Table-Top Exercise
Members of the disaster recovery team gather in a large conference room and role-play a disaster scenario
Simulation tests
More comprehensive and may impact one or more non-critical business units of the organization, all support personnel meet in a practice room
Parallel tests
Involve relocating personnel to the alternate site and commencing operations there.
Critical systems are run at an alternate site, main site open also
Full-interruption tests
Involve relocating personnel to the alternate site and shutting down operations at the primary site
Business Continuity Plan (BCP)
Plan for emergency response, backup operations and post disaster recovery maintained by an activity as a part of its security program that will ensure the availability of critical resources and facilitate the continuity of operations in an emergency situation
BCP (proactive goals)
Business Continuity - enduring the business can continue in an emergency, 1st business organization analysis
Focus on Business Processes
- Scope and Plan Initiation - consider amount of work required, resources required, management practice
- BIA - helps understand impact of disruptive processes
- Business Continuity Plan development
- Use BIA to develop BCP (strategy development phase bridges the gap between the business impact assessment and continuity planning phases of BCP development) - Plan approval and implementation
- management approval
- create awareness
**Update plan as needed, at least once a year testing
Disaster Recovery (reactive goals)
Recover as quickly as possible
- Heavy IT focus
- Allows the execution of the BCP
- Needs planning
- Needs testing
CRITICAL, URGENT, IMPORTANT
Business Continuity Plans development
- Defining the continuity strategy
- Computing: strategy to preserve the elements of hardware/software/communication lines/applications/data
- Facilities: use of main buildings or any remote facilities
- People: operators, management, technical support persons
- Supplies and equipment: paper, forms, HVAC
- Documenting the continuity strategy
BCP Committee
Senior Staff: ultimate responsibility, responsible for die care, due diligence
Various business units: identify and prioritize time critical systems
Information Systems
Security Administrator
There should be representatives from all departments who will execute the plan
CCTV
Multiplexer allows multiple camera screens shown over one cable on a monitor
- via coax cables (hence closed)
- attacks: replayed (video images)
- fixed mounting vs. PTZ Pan Tilt Zoom accunicator system (detects movements on screen and alerts guards)
- Recording (for later review) = detective control
- CCTV enables you to compare the audit trails and access logs with visual recording
Lightening
Glare Protection: against blinding by lights
Continuous Lightning: evenly distributed lightning
Controlled Lightning: no bleeding over no blinding
Standby lightning - timers
Responsive Areas Illumination: IDS detects activities and turns on lightening
NIST: for critical areas the area should be illuminated 8 feet in height with 2 foot candle power
Alarms
Local Alarm: audible alarm for at least 4000 feet
Central Stations: less than 10mins travel time for e.g. a private security firm
Proprietary systems: owned and operated by the customer. System provides many of the features in-house
Auxiliary Station Systems: on alarm ring out to local fire or police
Line supervision check: if no tampering is done with the alarm wires
Power Supplies: alarm systems need separate circuitry and backup power
Intrusion Detection (Physical and Motion)
Physical Parameter Detection
- Electromechanical - detect a break or change in circuit magnets pulled loose, wire doors, pressure pads
- Photoelectric - light beams interrupted (as in a store entrance)
- Passive infrared - detects changes in temperature
- Acoustical detection - microphones, vibrations sensors
Motion Detection
- Wave Pattern Motion Detectors - detects motions
- Proximity/Capacitance detector - magnetic fields detects presence around an object
Locks
Warded Lock - hanging lock with a key
Tumbler lock - cylinder slot
Combination lock - 3 digits with wheels
Cipher lock - electrical
Device lock - bolt down hardware
Preset - ordinary door lock
Programmable - combination or electrical lock
Raking - circumvent a pin tumbler lock
Audit Trails
Should Include:
- Date and time stamps
- successful or unsuccessful attempt
- where the access was granted
- who attempted the access
- who modified access privileges at supervisor level
Security Access Cards
Photo ID Card: Dumb cards. digitally coded cards
- swipe cards
- smart cards
Wireless proximity cards
- user activated
- system sensing
- passive device, no battery, uses power of the field
- field powered device: active electronics, transmitter but gets power from the surrounding field from the reader
- transponders: both card and receiver holds power, transmitter and electronics
Trusted Recovery
Ensures that the security is not breached when a system crash or failure occurs
Only required for B3 or A1 level systems
Failure Preparation
Backup critical information thus enabling data recovery
System Recovery after a System Crash
- Reboot system in single user mode or recovery console so no user access is enabled
- Recover all file systems that were active during failure
- Restoring missing or damaged files
- Recovering the required security characteristic, such as file security labels
- Checking security-critical files such as system password file
Common Criteria Hierarchal recovery types
Manual: system administrator intervention is required to return the system to a secure state
Automatic: recovery to a secure state is automatic when resolving a single failure (though system administrators are needed to resolve additional failures)
Automatic without Undue Loss: higher level of recovery defining prevention against the undue loss of protected objects
Function: system can restore functional processes automatically
Types of System Failure
System Reboot: system shuts itself down in a controlled manner after detecting inconsistent data structures or runs out of resources
Emergency restart: When a system restarts after a failure happens in an uncontrolled manner. E.g. when a low privileged user tries to access restricted memory segments
System Cold Start: when an unexpected kernel or media failure happens and the regular recovery procedure cannot recover the system in a more consistent state
Hackers and Crackers
Want to verify their skills as intruders
Entitlement
Refers to the amount of privileges granted to users, typically when first provisioning an account. User entitlement audit can detect when employees have excessive privileges
Aggregation
Privilege creep, accumulate privileges
Hypervisor
Software component that manages the virtual components. The hypervisor adds an additional attack surface, so it’s important to ensure it is deployed in a secure state and kept up-to-date with patches, controls access to physical resources
Notebook
most preferred in a legal investigation is a bound notebook, pages attached to a binding
Exigent circumstances
Allows officials to seize evidence before its destroyed (police team fall in)
Data Haven
A country or location that has no laws or poorly enforced laws
Chain of Custody
Collection, analysis and preservation of data
Forensics uses bit-level copy of the disk
Darknet
Unused network space that may detect unauthorized activity
Pseudo flaw
false vulnerability in a system that may attract an attacker
Fair Information Practices
- openness
- collection limitation
- purpose specification
- use limitation
- data quality
- individual participation
- security safeguards
- accountability
Noise and Perturbation
Inserting bogus information to hope to mislead an attacker
First Step of Change Process
Management approval
When a question is asked about processes, there must always be management’s approval as First Step
Prototyping
Customer view taken into account
SQL-SUDIGR
6 basic SQL commands
Select, Update, Delete, Insert, Grant, Revoke
Bind Variables
Placeholders for literal values in SQL query being sent to database on a server
GANTT and PERT charts
????
Piggybacking
looking over someone’s shoulder to see how someone gets access
Data Center Requirements
- Walls from floor to ceiling
- Floor: concrete slab, 150lbs square feet
- No windows
- Air-Conditioning should have own Emergency Power Off (EPO)
Electronic Access Control (EAC): proximity readers, programmable logs or biometric systems
Crime Prevention Through Environmental Design (TCPTED)
Natural Access Control: guidance of people by doors, fences, bollards, lightening. Security zones are defined.
Natural Surveillance: cameras and guards
Territorial Reinforcements: walls, fences, flags
Target Hardening: focus on logs, cameras, guards
Facility Site: core of the building (e.g. with 6 stores, it’s on the 3rd floor)
Hacktivists
Combination of hacker and activist, often combining political motivations with the thrill of hacking.
Thrill Attack
Attacks launched only for the fun of it. Pride, bragging rights, etc.
Script Kiddies
Attackers who lack the ability to devise their own attacks will often download programs that do their work for them.
The main motivation behind these attacks is the “high” of successfully breaking into a system.
Service Interruption may be the goal.
An attacker may destroy data, the main motivation is to compromise a system and perhaps use it to launch an attack against another victim. Common to do website defacements.
Business Attacks
Focus on illegally obtaining an organization’s confidential information. The use of the information gathered during the attack usually causes more damage than the attack itself
Financial Attacks
Carried out to unlawfully obtain money or services
Terrorist Attacks
Purpose is to disrupt normal life and instill fear
Military or intelligence attack
Designed to extract secret information
Grudge Attacks
Attacks that are carried out to damage an organization or person. The damage could be in the loss of information or information processing capabilities or harm to the organization or person’s reputation.
Sabotage
A criminal act of destruction or disruption committed against an employee is knowledgeable enough about the assets of an organization, has sufficient access to manipulate critical aspects of the environment, and has become disgruntled.
Espionage
The malicious act of gathering proprietary, secret, private, sensitive, or confidential information about an organization
Attackers often commit espionage with the intent of disclosing or selling information to a competitor or other interested organization (i.e. foreign).
Attackers can be dissatisfied employees, and in some cases, employees who are being blackmailed from someone outside of the organization.
Countermeasures against espionage are to strictly control access, to all nonpublic data, thoroughly screen new employee candidates, and efficiently track all employee activities.
Integrity Breaches
Unauthorized modification of information, violations are not limited to intentional attacks.
Human error, oversight, or ineptitude accounts for many instances.
Confidentiality Breaches
Theft of sensitive information
