A variety of threats face today's computer systems and the information they process. In order to control the risks of operating an information system, managers and users must know the vulnerabilities of the system and the threats, which may exploit them.
Knowledge of the threat environment allows the system manager to implement the most cost-effective security measures. In some cases, managers may find it most cost-effective to simply tolerate the expected losses.
The following threats and associated losses are based on their prevalence and significance in the current computing environment and their expected growth. The list is not exhaustive; some threats may combine elements from more than one area.
Errors and Omissions
Users, data entry clerks, system operators, and programmers frequently make unintentional errors, which contribute to security problems, directly and indirectly. Sometimes the error is the threat, such as a data entry error or a programming error that crashes a system.
In other cases, errors create vulnerabilities. Errors can occur in all phases of the system life cycle. Programming and development errors, often called bugs, range in severity from benign to catastrophic. In the past decade, software quality has improved measurably to reduce this threat, yet software "horror stories" still abound.
Installation and maintenance errors also cause security problems. Errors and omissions are important threats to data integrity. Errors are caused not only by data entry clerks processing hundreds of transactions per day, but also by all users who create and edit data.
Many programs, especially those designed by users for personal computers, lack quality control measures. However, even the most sophisticated programs cannot detect all types of input errors or omissions. The computer age saying "garbage in, gospel out" contains a large measure of truth.
People often assume that the information they receive from a computer system is more accurate than it really is. Many organizations address errors and omissions in their computer security, software quality, and data quality programs.
Fraud and Theft
Information technology is increasingly used to commit fraud and theft. Computer systems are exploited in numerous ways, both by automating traditional methods of fraud and by using new methods. For example, individuals may use a computer to skim small amounts of money from a large number of financial accounts, thus generating a significant sum for their own use.
In addition, deposits may be intentionally misdirected. Financial systems are not the only ones subject to fraud. Systems, which control access to any resource, are targets, such as time and attendance systems, inventory systems, school grading systems, or long-distance telephone systems.
Fraud can be committed by insiders or outsiders. The majority of fraud uncovered on computer systems is perpetrated by insiders who are authorized users of a system.
Since insiders have both access to and familiarity with the victim computer system, including what resources it controls and where the flaws are, authorized system users are in a better position to commit crimes. An organization's former employees may also pose threats, particularly if their access is not terminated promptly.
Disgruntled employees can create both mischief and sabotage on a computer system. Employees are the group most familiar with their employer's computers and applications, including knowing what actions might cause the most damage.
Organizational downsizing in both public and private sectors has created a group of individuals with organizational knowledge who may retain potential system access. System managers can limit this threat by invalidating passwords and deleting system accounts in a timely manner.
However, disgruntled current employees actually cause more damage than former employees do. Common examples of computer-related employee sabotage include:
- Entering data incorrectly
- Changing data
- Deleting data
- Destroying data or programs with logic bombs
- "Crashing" systems
- Holding data hostage
- Destroying hardware or facilities
Physical and Infrastructure
The loss of supporting infrastructure includes power failures (including outages, spikes and brownouts), loss of communications, water outages and leaks, sewer problems, lack of transportation services, fire, flood, civil unrest, strikes, and so forth.
These losses include dramatic events such as the explosion at the World Trade Center and the Chicago tunnel flood as well as more common events such as a broken water pipe. System owners must realize that more loss is associated with fires and floods than with viruses and other more widely publicized threats.
A loss of infrastructure often results in system downtime, sometimes in unexpected ways. For example, employees may not be able to get to work during a winter storm, although the computer system may be functional.
Hackers, sometimes called crackers, are a real and present danger to most organizational computer systems linked by networks. From outside the organization, sometimes from another continent, hackers break into computer systems and compromise the privacy and integrity of data before the unauthorized access is even detected.
Although insiders cause more damage than hackers do, the hacker problem remains serious and widespread. The effect of hacker activity on the public switched telephone network has been studied in depth. Studies by the National Research Council and the National Security Telecommunications Advisory Committee show that hacker activity is not limited to toll fraud.
It also includes the ability to break into telecommunications systems (such as switches) resulting in the degradation or disruption of system availability. While unable to reach a conclusion about the degree of threat or risk, these studies underscore the ability of hackers to cause serious damage.
The hacker threat often receives more attention than more common and dangerous threats. The U.S. Department of Justice's Computer Crime Unit suggests three reasons. First, the hacker threat is a more recently encountered threat.
Organizations have always had to worry about the actions of their own employees and could use disciplinary measures to reduce that threat. However, these controls are ineffective against outsiders who are not subject to the rules and regulations of the employer.
Secondly, organizations do not know the purposes of a hacker; some hackers only browse, some steal, some damage. This inability to identify purposes can suggest that hacker attacks have no limitations. Finally, hacker attacks make people feel vulnerable because the perpetrators are unknown.
Industrial espionage involves collecting proprietary data from private corporations or government agencies for the benefit of another company or organization. Industrial espionage can be perpetrated either by companies seeking to improve their competitive advantage or by governments seeking to aid their domestic industries.
Foreign industrial espionage carried out by a government is known as economic espionage. Industrial espionage is on the rise. The most damaging types of stolen information include manufacturing and product development information. Other types of information stolen include sales and cost data, client lists, and research and planning information.
Within the area of economic espionage, the Central Intelligence Agency states that the main objective is obtaining information related to technology, but that information on U.S. government policy deliberations concerning foreign affairs and information on commodities, interest rates, and other economic factors is also a target.
The Federal Bureau of Investigation concurs that technology-related information is the main target, but also cites corporate proprietary information such as negotiating positions and other contracting data as a target.
Malicious code refers to viruses, worms, Trojan horses, logic bombs, and other "uninvited" software. Malicious code is sometimes mistakenly associated only with personal computers, but can also attack systems that are more sophisticated.
However, actual costs attributed to the presence of malicious code have resulted primarily from system outages and staff time involved in repairing the systems. Nonetheless, these costs can be significant.
Malicious Software : Terms
Virus: A code segment, which replicates by attaching copies of itself to existing executables. The new copy of the virus is executed when a user executes the new host program. The virus may include an additional "payload" that triggers when specific conditions are met.
For example, some viruses display a text string on a particular date. There are many types of viruses including variants, overwriting, resident, stealth, and polymorphic. Trojan Horse: A program that performs a desired task, but also includes unexpected (and undesirable) functions.
Consider as an example an editing program for a multi-user system. This program could be modified to randomly delete one of the users' files each time they perform a useful function (editing) but the deletions are unexpected and definitely undesired! Worm: A self-replicating program, which is self-contained and does not require a host program.
The program creates a copy of itself and causes it to execute; no user intervention is required. Worms commonly utilize network services to propagate to other host systems. The number of known viruses is increasing, and the rate of virus incidents is growing moderately. Most organizations use anti-virus software and other protective measures to limit the risk of virus infection.
Foreign Goverment Espionage
In some instances, threats posed by foreign government intelligence services may be present. In addition to possible economic espionage, foreign intelligence services may target unclassified systems to further their intelligence missions.