Executive Summary
Vectors of attack on individuals or organisations have increased greatly since digitisation of human existence. Now most activity is mediated through the internet all individuals and all organisations in ‘modern’ digital societies are open to attacks. In the analogue era snail mail intercept was one of the only ways to engage in man in the middle MITM. With the telegraph and then telephony wire taps. Software as a Service SaaS, and other XaaS offerings, make vectors of attacks many times greater. Most private sector and public sector service offerings are now via digital channels. Some services are only available via digital channels.
“There are many reasons an insider can be or become malicious including revenge, coercion, ideology, ego or seeking financial gain through intellectual property theft or espionage.” - ASD
Use Case 01
Title: compromise service integrity to individual
Scenario: man in the middle attack
- Social media algorithms force people down dangerous content rabbit holes. To reputational harm, legal harm, financial harm, radicalisation harm, and so on.
- Groups, and individuals, with appropriate knowledge and skills can deliberately put content liable to harm an individual into the ‘recommendations’ stream. So that it appears as the content was suggested by the social media algorithm.
2.1 By people at a social media org. Which might be, directed by the social media orgs management hierarchy or directed by external groups who control social media employees.
2.2 By people external to social media who inject content into the http stream.
Threat actor (perpetrator): Malicious insider, Insider threat,
User actor (target): Anybody,
Use Case 02
Title: Release / publish private or sensitive information
Scenario: Doxing
Threat actor (perpetrator): Malicious insider, Insider threat
User actor (target): Anybody,
Use Case 03
Title: Radicalise someone
Scenario:
Threat actor (perpetrator): Malicious insider, Insider threat
User actor (target): Anybody,
Use Case 04
Title: Discredit / malign someone
Scenario:
Threat actor (perpetrator): Malicious insider, Insider threat
User actor (target): Anybody,
Use Case 05
Title: Impersonate someone
Scenario:
Threat actor (perpetrator): Malicious insider, Insider threat
User actor (target): Anybody,
Use Case 06
Title:
Scenario:
Threat actor (perpetrator): Malicious insider, Insider threat
User actor (target): Anybody,
BOSCARD
Background
Might be carried out by any individual lone actor. Might be a carried out by a group with similar ideological views. Criminal networks, political networks, ideological networks, and so on, and lone actors of same inclination.
A non comprehensive list of some vectors of attack.
Telco cable infrastructure
Internet provider
Data centre
XaaS provider (cloud)
Network infrastructure (Bluetooth, Wi-Fi, 3G, 4G, … )
Personal computing (desktop, laptop, tablet, PDA, mobile, smartphone, smart device, IIoT, IoT, … )
Operating system (windows, ios, android, unix, linux, …)
Browser / App
Digital service (gov, com, org, net, …)
As part of some of these the conceptual abstractions described by the OSI seven layer model for system interconnection. And a mapping of four of the abstraction layers of the OSI model to the four abstraction layers of the internet protocol suite as a concrete vulnerability vector example.
Objective
Protect individual users from harm from use of now ubiquitous and unavoidable digital services which are interfered or tampered with and compromises the integrity of service to the user.
Man in the middle for any digital service. Email applications. Also applies to all social media and most other internet hosted applications and services.
< todo: refactor this bit. too specific. not clear enough. not DRY enough. >
Digital service integrity (gov, com, org, net, ac, …)
Email privacy
Email subscriptions
Email links
Email attachments
Text messages
Single ring
Digital Security
Account high jacking, email, social media
Account impersonation, social media
Man in the middle attacks email
Inserting false information into emails or email threads
So as to mislead to recipient into believing the content or message was from the sender
Malign messages to discredit sender
Malign messages to disrupt relationships and sow distrust between sender and recipient
Man in the middle attacks social media
Insert content into social media stream liable to cause harm to the receiver if engaged with
Scope
Constraints
In the face of exponential change and vast complexity there is no renaissance man solution . If there is no renaissance man solution what hope mere mortals.
Capability skill poverty.
Epistemic poverty.
Human interaction poverty.
Time poverty.
Assumptions
If someone can be radicalised accidentally falling down a harmful internet rabbit hole. Then someone profiled can be radicalised by purposely leading/channelling/directing them to content that will engage a negative emotional spiral. Fear, anger, hatred, and so on.
Specifically engaging base primal instinct. Fight or flight. And human weakness and vulnerabilities. Companionship/romance/sex, resource insecurity/finance/money/employment/housing, hunger/food/ , health/mental/physical/emotional, and so on.
The more immersive and the most senses utilised the more effective. Games, videos, 3d,
Gaming the internet to manipulate and exploit and control.
Gamification of applications and services to maintain addictive levels of engagement. Building brand loyalty, points mean prizes, and political loyalty inclusive extremism and radicalisation. Behavioural modification, incentivisation to copycat behaviour.
In the digital era anyone with the skills or who controls relevant malicious insiders can reach into the lives of anyone else in the world from anywhere else in the world. In the analogue era for the most part a perpetrator would have to travel to, or hire someone at, the location, or near, the target for MITM attacks for example.
Risks
Risks to recipient/receiver/user ; reputational, social, financial, legal, occupational, behavioural …
Risks to sender; Reputational, Social, Financial, …
Behavioural - radicalisation in extreme cases, self harm in other cases,
Deliverables
Regulation, oversight, enforcement,
Compliance, detection, deterrence,
Conclusion
Integrity of digital service provision must be protected by law. Non interference in service provision must be guaranteed. Individuals and organisations are at more risk now than at any other time due to digitalisation.
There is a related issue of the digital divide and digital poverty.
There is a related issue in corporate externalisation of capability and service provision onto users, so that users must know become subject matter experts on the topic of service provision concern instead of this being provided by the organisation.
There is a related issue here with externalisation and outsourcing and offshoring and IVR with DTMF and cloud and the like.
The digitalisation of human existence has had some remarkable positive change to humanity. It has also had some remarkably negative ones too. Which we are battling to address as individuals and society and look likely to for some time to come.
Humanity is maladapted to a life mediated through the digital realm. Yet more and more of human existence is funnelled toward it.
See related posts
Block Internet Search Query Terms - HTTP Request intercept, Brave Community
Security - DNS Blacklists and Whitelists, Brave Community
Browser Ontology - terminology and term relations, Brave Community
References
Attacks
Attacks (social engineering)
Gaming the system, Wikipedia
Gamification, Wikipedia
One ring phone scam, Federal Communications Commission
Caller ID Spoofing, Federal Communications Commission
Attacks (software), OWASP
Browser session recorders
Keyloggers
boy-in-the-browser (BitB, BITB)
Man-in-the-middle attack, (MITM), Wikipedia
Man-in-the-browser, OWASP
Man-in-the-browser, (MITB, MitB, MIB , MiB ), Wikipedia
man-in-the-mobile (MitMo)
Manipulator-in-the-middle, OWASP
< more to list … >
Personal computing devices
personal computing device definition, Law Insider
Personal computing definition, Law Insider
Personal computer, Wikipedia
Personal Computing Devices Market Insights, 11 June 2024, IDC
Personal computer technology, Britannica
< more defs to list … >
Terms of reference
BOSCARD, 21 Oct 2021, Duncan Haughey, Project smart
Threat Actor
What is a threat actor?, IBM
Malicious insiders, 23 Jun 2020, ASD
Vulnerabilities, attack vectors
Vulnerabilities (software), OWASP
Glossaries security
Security vocabulary, NICCS, US
Standards/Specifications/Models
OSI Model (the seven layer model), Wikipedia
Layer 8 +, Wikipedia
Internet Protocol Suite, Wikipedia
Newspapers
Gamification
The El Paso Shooting and the Gamification of Terror, 4 August 2019, Evans, Robert Bellingcat, Retrieved 8 September 2024.
Complexity
Pensioner accidentally pays £2,700 for Oasis tickets, 7 September 2024, Tony Fisher & Louise Parry, BBC News, Retrieved 9 Sept 2024
Papers
Fernandes, D.A.B., Soares, L.F.B., Gomes, J.V. et al. Security issues in cloud environments: a survey. Int. J. Inf. Secur. 13, 113–170 (2014). https://doi.org/10.1007/s10207-013-0208-7
Andy Jones, The changing nature of malicious attacks, Computer Fraud & Security, Volume 2008, Issue 6, 2008, Pages 15-17, ISSN 1361-3723,
https://doi.org/10.1016/S1361-3723(08)70100-3
Law/regulation/directives
Data protection in the EU, EU Commission
< todo: source digital services integrity law, right not to have services interfered with by hostile actors, right not to have services compromised by hostile actors, right to security and integrity of service, >
< todo: source digital services access law, right not to be denied service, right not to have services denied by hostile actors, >
< todo: source digital services good faith law, not to be an unwitting experimental subject, convenience services and lazy click and agree T&C’s because there is little alternative or the barriers to access without doing so too high or convenience exploitation, , >
Resources
pushsecurity / saas-attacks, < Private company, no due diligence done, link in relation to a Linked in article >