Java Reference
In-Depth Information
other users of the Web application, thereby resulting in exploits ranging from session hijacking to
the complete control of another's user's machine initiated by an XSS worm. Another example of a
threat may be in the form of a malicious insider. Let us assume that the organization's application
administrator has malicious intentions for the company's sensitive information. he administra-
tor, if aided by nonsecure application development and deployment, can use the said information
for commercial purposes like selling credit card and personal information. Insider threat is also a
serious consideration for organizations today. According to Gartner,
*
over 60% of security insiders
in the organization cause breaches. One should be aware of the following key terms while discuss-
ing threats:
◾
hreat actors
◾
hreat motive
◾
hreat outcome
hreat access
◾
5.4.3.1 Threat Actor
hreat actor
is the entity that is actually the source of the threat. hreat actor is also called
threat
agent
in several cases. For instance, a hacker inds a stored XSS vulnerability in a public forum
and maliciously redirects users to his attacker site using crafted JavaScript. he threat actor or
the threat agent in this case is the hacker, as (s)he is the source of the threat. here may be non-
human threat actors as well. For instance, even a power outage is considered a threat actor, as it
can result in the critical information asset being unavailable for a period of time. With reference
to Web applications, the threat actor we will consider will be the human actor, as we are con-
cerned with the protection of Web applications from hackers, malicious users of the application,
and insiders.
5.4.3.2 Threat Motive
hreat motive
is the reason for a threat actor to attack and exploit the system. A threat motive might
not always be deliberate or malicious. For instance, a machine operator may accidentally trip over
a loose wire of a machine in a factory, causing the machine to stop. his results in unavailability
and downtime. hreat motive is only captured for human threat actors and it is either
accidental
or
deliberate
.
5.4.3.3 Threat Access
hreat access
basically refers to the type of access that the threat agent would have to the critical
information asset. For instance, a hacker accesses the Web application over the Internet, via the
browser, and then the access has been gained via a network. To explain another scenario, let us
assume that a disgruntled employee of an organization with malicious intentions gains access to
the organization's data center and tries to cause a physical security breach to the systems. he
threat agent, in this case, is the malicious employee, who gains access to the datacenter via physical
means, which is the threat access. With reference to Web applications, our focus will mainly be on
*
Gartner Insider Security breach: http://www.thefreelibrary.com/Gartner+Says+60+Percent+ of+Security+Brea
ch+Incident+Costs+Incurred+by…-a0102524425.
Search WWH ::
Custom Search