My textbook lists categories of cyber-attacks that focus on an attack’s lasting impact: how does it affect the target’s assets and resources? Since the categories really reflect the attack’s impact on the target, they really represent risks. Here are the categories I use right now:
Denial of service – Pillage – Subversion
Masquerade – Forgery – Disclosure
This is a work in progress as I figure out some conceptual ideas.
Cybersecurity people often talk about the CIA properties – Confidentiality, Integrity, and Availability. We can turn each of these into a type of risk, but I find the result too general, especially Availability and Integrity.
Denial of Service (DOS)
This risk is one part of Availability: when an attack prevents us temporarily from using an important resource. Classic Internet DOS attacks temporarily block access to targeted servers by flooding them with traffic, for example, memcache amplification attacks. Ransomware attacks, like WannaCry and NotPetya, are also DOS attacks, though they attack a computer’s data instead of its network connections.
This is the risk of physical attacks or damage. Traditionally the term refers to physical destruction, and is rarely used to refer to cyberattacks. Some might argue that this isn’t a cybersecurity-related risk. I disagree. Physical security is essential to cybersecurity.
Physical attacks affect all three CIA properties. Equipment theft is probably the most common type of physical attack, and it clearly affects Availability. Natural disasters also destroy computers, as can civil unrest. In 1970, separate protests in Lawrence, KS, and Milwaukee, WI, damaged or destroyed computer equipment.
Pillage can also affect integrity. In 2008 the US military’s classified networks were infested with a network worm. The attack was traced to a trivial physical act: a USB drive plugged into a military laptop in Iraq. Military officials also worry about “back doors” installed in commercial computer hardware delivered from foreign countries.
These risks affect the integrity of to computer data and software through non-physical access. Most malware attacks represent subversion.
This risk reflects an authentication failure: the attacker takes on a legitimate and/or privileged role within the computing system.
This applies a masquerade to individual messages: the attacker creates or modifies a message that the recipient misinterprets as being legitimate. Authentication is a complex process and is often omitted in lower-level network protocols. All network protocols try to make forgery difficult or impossible, but the techniques can fail.
This risk is a classic failure of confidentiality. While disclosure may arise from a passive (eavesdropping) attack, it may also arise from other risks. For example, a malware package represents subversion, but many try to collect login credentials found on an infected computer. Disclosure of sensitive data may also be the result of a masquerade.
Other Types of Categories
This classification doesn’t reflect how attacks work. An SQL injection, for example, could yield a disclosure, a masquerade, or a subversion.