Skip to content

Threats to Systems

In this article we look at common threats to computers systems.

We will look at some some real cases of computer systems that failed due to a vulnerability that was intentionally or accidentally exposed causing severe financial damages or security breaches. The cases presented below refer mostly to system weaknesses related to human factors, cyber-attacks, poor implementation issues and others.

Humans make a system vulnerable

One of the weakest links in the chain called computer system is usually the user. Improper or careless human behaviour can make a system vulnerable and prone to attacks that could result in security violations or other undesired situations. Estimates have human behaviour as a factor in around 90% of all successful hacks.

Such behaviours include: either intentional or unintentional actions that can be associated with threats like an inside job attack or accidental release of confidential data.

Below are two examples of human threats, that show that even the most secure systems (you would expect the NSA to be on the ball) can be vulnerable:

The Inside Job

The first example describes the inside job occurred in 2013 at the National Security Agency in the United States of America. In this case, a former NSA employee (i.e. Edward Snowden) disclosed 1.5 million top-secret government documents that included personal information of US and foreign citizen revealing the global surveillance plan followed by the NSA and the US government. Later this year, Snowden was charged with theft of confidential government documents and involvement in espionage as after the disclosure of these documents he sought asylum in Russia.

Accidental release of data

In 2014, an employee of the Australian Immigration Department accidentally published the passport numbers, visa details and other personal identifiers of all world leaders attending the G20 Brisbane summit to the organisers of the Asian Cup football tournament via email. Among the leaders were the American President Barack Obama, the Russian President Vladimir Putin and the British Prime Minister David Cameron. The Australian Government tried to resolve this problem by deleting the sent emails from the respective recipient accounts.

Cyber attacks on a vulnerable system

Active Cyber-attacks are another factor that can affect the security and operation of a computer system. These attacks usually take advantage of the vulnerabilities related to the security or operation to compromise a system. The impact of attacks varies in severity, from the relatively harmless (for example Defacing a website), to the severe (data breach of PII, or Financial details) This can cause either financial, or reputational losses to the organisation. Thousands of different cyber-attacks happen every day trying to get the advantage of the gap/holes that exist due to the vulnerabilities of the attacked systems.

Yahoo Data Breach

In 2013, after a successful online hacking attack at Yahoo!, a massive data breach (which is still one of the worlds biggest) occurred resulting in the exploitation of the sensitive data of approximately 1 billion users including their names, telephone numbers, dates of birth, passwords and security questions. In this case, the vulnerability of the system was due to a lack of sufficient security mechanisms to protect the servers attacked.

Health Records leaked

In April 2020, US Healthcare partners had a data breach exposing more than 78,000 patient records. The breech took place through a compromised email account (there are no details on how yet), which contained an excel spreadsheet containing the details (why would anyone do this). Details leaked include Names, mailing addresses and other information that could be used in identity theft.

Stuxnet

Stuxnet is a (in)famous attack against Inducstrial Control systems in 2010. It attacked control systems, and was responsible for causing significant damage to Irans Nuclear program.

One reason for its fame it it is widely understood to be a cyberweapon, developed by the USA and Israel.

Stuxnet had some interesting components. The malware payload was highly specialised, and only attaced specific controllers, and therefore caused no harm to systems that did not meet its criteria. The virus itself would spread through windows systems on a network, using a flaw in the windows operating system.

These three attacks give three different examples of a cyber attack. Yahoo, was an example of an attack against a system with poor security mechanisms. The health records attack gives an example of how a compromised part of a system can lead to a breach. Stuxnet is a interesting example of a specialised, targeted (and possibly nation state level) attack.

Poor Implementation: another cause of system vulnerability

Another common reason that makes a computer system vulnerable is usually the poor design and/or implementation of the system during its development life cycle. This poor design or implementation generally corresponds to the improper application of security configuration/mechanisms and/or the bad coding of the actual system functioning. Specifically, the application of inappropriate security measures/mechanisms to the system is highly likely to create holes that could allow the attackers to penetrate the system and bypass its security. Finally, the poor programming can also force the system functioning or security to fail due to the exploitation of vulnerabilities created during the coding process.

Note

There is a fine line between Poor Implementation, and exploited system flaws. Often the flaws that are exploited in a cyber attack are due to poor implementation in the software itself.

In this case, we make a distinction between flaws that have caused an issue without any "Active" hacking attempt.

The following are examples of where flaws in a program have caused damage, or a data breach.

Ariane 5 Explosion

And Important system failure that was caused by a programming error is the Arianne 5 case in 1996. Ariane 5 was a space vehicle manufactured by the European Space Agency in order to serve space journeys. During one launch the rocket exploded after 40 seconds, due to an error in the code that was storing a 64-bit float number into a 16-bit integer forcing in this way the system to fail due to a severe overflow.

Unencrypted data stored publicly

Finally, a case where a poor security design caused the leakage of sensitive data happened in 2016 when a glitch triggered around 330 million passwords to be stored in readable text, which was visible on the internal computer system of Twitter. Specifically, the poor security design did not consider the hashing or encryption of this data allowing user credentials to be revealed to the staff of the company.

Conclusion

In this article we have discussed how various system vulnerabilities can potentially affect the safety safety and security of different types of systems. The examples discussed highlight how a poorly designed, configured or implemented system can lead to loss and damage.

Integrating security into the design and development process could help reduce the impact of these issues. In the next set of sessions we will be looking at the secure design process.

Looking at threats #LookingAtThreats

Our first discussion for this week.

We have looked at examples different threats that systems can face.

Research a recent cyber attack or incident (for example the NotPetya ransomware, or the recent issues with deserialization in NodeJS) Use the feed on Aula (and the tag #lookingatthreats to discuss the attack, and answer the following questions.

  • What threat are you looking at?
  • A brief description of the threat
  • What was the main factor in the attack (human error, poor coding practice etc?)
  • How was the threat discovered
Back to top