Management
must be informed of the various kinds of threats facing the organization
A
threat is an object, person, or other entity that represents a constant danger
to an asset
By
examining each threat category in turn, management effectively protects its
information through policy, education and training, and technology controls
The
2002 CSI/FBI survey found:
– 90% of organizations responding detected
computer security breaches within the last year
– 80% lost money to computer breaches, totaling
over $455,848,000 up from
$377,828,700 reported in 2001
– The number of attacks that came across the
Internet rose from 70% in 2001 to
74% in 2002
– Only 34% of organizations reported their
attacks to law enforcement
The
2002 CSI/FBI survey found:
– 90% of organizations responding detected
computer security breaches within the last year
– 80% lost money to computer breaches, totaling
over $455,848,000 up from
$377,828,700 reported in 2001
– The number of attacks that came across the
Internet rose from 70% in 2001 to
74% in 2002
– Only 34% of organizations reported their
attacks to law enforcement.
Acts of Human Error or Failure:
Includes
acts done without malicious intent
Caused
by:Tnlearners.com,edu.finstechnologies.com,webexpo
Tnlearners.com,edu.finstechnologies.com,webexpo
–
Inexperience
– Improper training
– Incorrect assumptions
– Other circumstances
Employees
are greatest threats to information security – They are closest to the
organizational data.
Acts of Human Error or Failure:
Employee
mistakes can easily lead to the following:
– revelation of classified data
– entry of erroneous data
– accidental deletion or modification of data
– storage of data in unprotected areas
– failure to protect information
Many
of these threats can be prevented with controls.
Deviations in Quality of Service by Service
Providers:
Situations
of product or services not delivered as expected
Information
system depends on many inter-dependent support systems
Three
sets of service issues that dramatically affect the availability of information
and systems are
– Internet service
– Communications
– Power irregularities
Internet Service Issues:
Loss
of Internet service can lead to considerable loss in the availability of
information
– organizations have sales staff and
telecommuters working at remote locationsTnlearners.com,edu.finstechnologies.com,webexpo
Tnlearners.com,edu.finstechnologies.com,webexpo
When an organization
outsources its web servers, the outsourcer assumes responsibility for
– All Internet Services
– The hardware and operating system software used
to operate the web site.
Services:
Other
utility services have potential impact
Among
these are
– telephone
– water & waste water
– trash pickup
– cable television
– natural or propane gas
– custodial services
The
threat of loss of services can lead to inability to function properly.
Power Irregularities:
Voltage levels can increase, decrease, or cease:
– spike – momentary increase
– surge – prolonged increase
– sag – momentary low voltage
– brownout – prolonged drop
– fault – momentary loss of power
– blackout – prolonged loss
Electronic
equipment is susceptible to fluctuations, controls can be applied to manage
power quality.
Espionage/Trespass:
Broad
category of activities that breach confidentiality
– Unauthorized accessing of information
– Competitive intelligence (the legal and ethical
collection and analysis of information regarding the capabilities,
vulnerabilities, and intentions of business competitors) vs. espionage
– Shoulder surfing can occur any place a person
is accessing confidential information
Controls
implemented to mark the boundaries of an organization‘s virtual territory
giving notice to trespassers that they are encroaching on the organization‘s
cyberspace
Hackers
uses skill, guile, or fraud to steal the property of someone.
Espionage/Trespass:
Generally
two skill levels among hackers:
– Expert hacker
• develops software scripts and codes exploits
• usually a master of many skills
• will often create attack software and share
with others
– Script kiddies
• hackers of limited skill
• use expert-written software to exploit a system
• do not usually fully understand the systems
they hack
Other
terms for system rule breakers:
– Cracker - an individual who ―cracks‖ or removes
protection designed to prevent unauthorized duplication
– Phreaker - hacks the public telephone network.
Information Extortion:
Information
extortion is an attacker or formerly trusted insider stealing information from
a computer system and demanding compensation for its return or non-use
Extortion
found in credit card number theft.
Sabotage
or Vandalism:
Individual
or group who want to deliberately sabotage the operations of a computer system
or business, or perform acts of vandalism to either destroy an asset or damage
the image of the organization
These
threats can range from petty vandalism to organized sabotage
Organizations
rely on image so Web defacing can lead to dropping consumer confidence and
sales
Rising
threat of hacktivist or cyber-activist operations – the most extreme version is
cyber-terrorism.
Deliberate Acts of Theft:
Illegal
taking of another‘s property - physical, electronic, or intellectual
The
value of information suffers when it is copied and taken away without the
owner‘s
knowledge
Physical
theft can be controlled - a wide variety of measures used from locked doors to
guards or alarm systems
Electronic
theft is a more complex problem to manage and control - organizations may not
even know it has occurred.
Deliberate Software Attacks:
When
an individual or group designs software to attack systems, they create
malicious code/software called malware
– Designed to damage, destroy, or deny service to
the target systems
Includes:
– macro virus
– boot virus
– worms
– Trojan horses
– logic bombs
– back door or trap door
– denial-of-service attacks
– polymorphic
– hoaxes
Compromises
to Intellectual Property:
Intellectual
property is ―the ownership of ideas and control over the tangible or virtual
representation of those ideas.
Many
organizations are in business to create intellectual property
– trade secrets
– copyrights
– trademarks
– patents
Most
common IP breaches involve software piracy
Watchdog
organizations investigate:
– Software & Information Industry Association
(SIIA)
– Business Software Alliance (BSA)
Enforcement
of copyright has been attempted with technical security mechanisms.
Forces of Nature:
Forces
of nature, force majeure, or acts of God are dangerous because they are
unexpected and can occur with very little warning
Can
disrupt not only the lives of individuals, but also the storage, transmission,
and use of information
Include
fire, flood, earthquake, and lightning as well as volcanic eruption and insect
infestation
Since
it is not possible to avoid many of these threats, management must implement
controls to limit damage and also prepare contingency plans for continued
operations.
Technical Hardware Failures or Errors:
Technical
hardware failures or errors occur when a manufacturer distributes to users
equipment containing flaws
These
defects can cause the system to perform outside of expected parameters, resulting
in unreliable service or lack of availability
Some
errors are terminal, in that they result in the unrecoverable loss of the
equipment
Some
errors are intermittent, in that they only periodically manifest themselves,
resulting in faults that are not easily repeated
This
category of threats comes from purchasing software with unrevealed faults
Large
quantities of computer code are written, debugged, published, and sold only to
determine that not all bugs were resolved
Sometimes,
unique combinations of certain software and hardware reveal new bugs
Sometimes,
these items aren‘t errors, but are purposeful shortcuts left by programmers for honest or dishonest reasons.
Technological Obsolescence:
When
the infrastructure becomes antiquated or outdated, it leads to unreliable and
untrustworthy systems
Management
must recognize that when technology becomes outdated, there is a risk of loss
of data integrity to threats and attacks
Ideally,
proper planning by management should prevent the risks from technology
obsolesce, but when obsolescence is identified, management must take action
Attacks
An
attack is the deliberate act that exploits vulnerabilityTnlearners.com,edu.finstechnologies.com,webexpo
Tnlearners.com,edu.finstechnologies.com,webexpo
It is accomplished by a
threat-agent to damage or steal an organization‘s information or
physical asset
– An exploit is a technique to compromise a
system
– A vulnerability is an identified weakness of a
controlled system whose controls
are not present or are no longer effective
– An attack is then the use of an exploit to
achieve the compromise of a controlled system
No comments:
Post a Comment