2) Motives & Means

Motive – a reason for doing something
“jealousy was the motive for his murder”

Means – a method or way of doing something
“the crowbar was the means for breaking into the house”

In cyber security, the means in which threats can realize their objectives (motives) is the area where CISOs should focus their attention, as preventing, detecting and responding to these means will for the foundation for the security program’s controls.

The means which I believe are the most commonly associated with the threats and motives identified include:

  1. Attack the User
    1. Attack users visiting compromised websites via malware to exploit browser/OS vulnerabilities
    2. Redirect users to fake websites for purposes of stealing credentials
    3. Trick users with social engineering techniques in order to commit fraud or gain access to systems/networks
    4. Lure users into installing USB flash drives loaded with malware
    5. Steal devices from users
    6. Exploit devices users have lost
    7. Trick users into installing malicious applications
    8. Steal information/credentials when users access insecure wifi
  2. Attack the Endpoint Devices
    1. Exploit weak/default endpoint credentials for access
    2. Steal unencrypted information from endpoint
    3. Exploit endpoint vulnerabilities in OS and applications
    4. Exploit endpoint misconfigurations
    5. Execute malware introduced by other means
  3. Attack the Applications
    1. Exploit weak/default application credentials for access
    2. Exploit security design flaws (OWASP)
    3. Exploit security coding flaws
    4. Exploit vulnerabilities in application components
    5. Deny access to publicly available applications
  4. Attack the Network
    1. Exploit weak/default network device credentials for access
    2. Exploit network device misconfigurations
    3. Exploit vulnerabilities in network devices
  5. Attack the Servers
    1. Exploit weak/default server credentials for access
    2. Exploit server OS and middleware misconfigurations
    3. Exploit vulnerabilities in server OS and middleware
    4. Execute malware introduced by other means
  6. Exploit the Information
    1. Missing or insufficient data encryption
    2. Inappropriate Use of information
    3. Inappropriate Access to information
    4. Inappropriate Disclosure of information
  7. Attack the Environment
    1. Social Engineering Physical (Tailgating, Impersonation)
    2. Break-in
    3. Rogue Devices in environment (WiFi or PowerPlugs)
  8. Attack the Governance
    1. Failing to understand/meet regulatory requirements
    2. Failing to understand/meet legal requirements
    3. Failing to understand/meet contractual requirements
    4. Failing to ensure 3rd parties who connect to, hold or process information for the organization are secure
    5. Failing to assess relevant risks
    6. Failing to address relevant risks

The following matrix cross references the motives previously identified, to the most common means by which they are realized: