Unit OutlineInformation Security Risks, Part II Module 1: Password Security Module 2: Wireless Security Module 3: Unintentional Threats Module 4: Insider Threats Module 5: Miscellaneous Threats Module 6: Summary
Unintentional ThreatsLearning Objectives • Students should be able to: • Identify various types of unintentional threats • (i.e. equipment failure, software failure, user error, failure of communications services, failure to outsource operations, loss or absence of key personnel, misrouting/re-routing of messages, natural disasters, and environmental conditions) • Understand the impact of unintentional threats • Determine relevant controls for unintentional threats
Unintentional ThreatsSoftware Failures • Definition: Software behavior is in conflict with intended behavior • Typical Behaviors: • Immediate loss of data due to abnormal end • Repeated failures when faulty data used again • Vulnerabilities: Poor software development practices • Prevention: • Enforce strict software development practices • Comprehensive software testing procedures • Detection: Use software diagnostic tools • Countermeasures • Backup software • Good software development practices • Regression Testing
Unintentional ThreatsEquipment Failure • Definition: • Hardware operates in abnormal, unintended • Typical Behaviors: • Immediate loss of data due to abnormal shutdown. Continuing loss of capability until equipment is repaired • Vulnerabilities: • Vital peripheral equipment is often more vulnerable that the computers themselves • Prevention: • Replication of entire system including all data and recent transaction • Detention: • Hardware diagnostic systems
Unintentional ThreatsUser Error • Definition: • Inadvertent alteration, manipulation or destruction of programs, data files or hardware • Typical Behaviors • Incorrect data entered into system or incorrect behavior of system • Vulnerabilities • Poor user documentation or training • Prevention: • Enforcement of training policies and separation of programmer/operator duties • Detection • Audit trails of system transactions • Countermeasures • Backup copies of software and data • On-site replication of hardware
Unintentional ThreatsFailure of Communications Services • Prevention: • Maintain communications equipment • Countermeasures • Use an Uninterrupted Power Supply (UPS) • Perform continuous back-ups. • Plan and implement communications cabling well • Enforce network management • Definition: Disallowing of communication between various sites, messages to external parties, access to information, applications and data stored on network storage devices. • Typical Behaviors • Loss of communications service can lead to loss of availability of information. • Caused by accidental damage to network, hardware or software failure, environmental damage, or loss of essential services • Vulnerabilities • Lack of redundancy and back-ups • Inadequate network management • Lack of planning and implementation of communications cabling • Inadequate incident handling
Unintentional ThreatsMisrouting/Re-routing of messages • Definition: • Accidental directing or re-routing of messages • Typical Behaviors: • Can lead to loss of confidentiality of messages are not protected and loss of availability to the intended recipient. • Vulnerabilities: • Inadequate user training • Non-encrypted sensitive data • Lack of message receipt proof • Prevention: • Train users in policies • Countermeasures: • Encrypt sensitive data • User receipts
Unintentional ThreatsFailure in Outsourced Operations • Definition: Outsourcing of operations must include security requirements and responsibilities • Typical Behaviors • Failure of outsourced operations can result in loss of availability, confidentiality and integrity of information • Vulnerabilities • Unclear obligations in outsourcing agreements • Non business continuity plans or procedures for information and information asset recovery. • Back up files and systems not available. • Prevention: • Create clear outsourcing agreements • Countermeasures • Implement an effective business continuity plan • Back up files and system
Unintentional ThreatsLoss or Absence of Key Personnel • Definition: • Critical personnel are integral to the provision of company services • Typical Behaviors: • Absence or loss of personnel can lead to loss of availability, confidentiality, integrity, and reliability. • Vulnerabilities: • No backup of key personnel • Undocumented procedures • Lack of succession planning • Prevention • Maintain redundancy of personnel skills • Countermeasures • Document procedures • Plan for succession
Unintentional ThreatsNatural Disasters • Definition: Environmental condition which causes catastrophic damage. E.g. earthquakes, fire, flood, storms, tidal waves. • Typical Behaviors • Physical Damage • Loss of data, documentation, and equipment • Loss of availability of information (leads to loss of trust, financial loss, legal liability) • Vulnerabilities • Storing data and processing facilities in known location where natural disasters tend to occur • No fire/smoke detectors • No business continuity plans • Back-up files and systems are unavailable
Unintentional ThreatsNatural Disasters, cont’d. • Prevention: • Location is not known to be a place of natural disasters • Detection • Weather Advisories • Fire/Smoke Alarms • Countermeasures • Backup copies of software and data • Storage of data is located in another location • Have a business continuity plan in place
Unintentional ThreatsNatural Disasters: Humidity • Both excess and insufficient Humidity in the computer room can threaten system reliability. • Too much moisture in the air can accelerate oxidation of electronic circuits, conductors and connectors • Moisture can also provide high-resistance current paths that make circuits perform unpredictably. • Lack of moisture increases the potential for equipment damage due to static electricity.
Unintentional ThreatsNatural Disasters: Water Damage • Water damage can be caused by common events such as rupturing of water pipes, leakage at pipe joints, or rain leaks from the roof • Water damage can also be caused due to excess vapor condensation within air-conditioning equipment. • Computer rooms protected by sprinkler systems are also susceptible to this additional water hazard. • Even in raised floor computer rooms cable couplings that link computing devices can suffer from water damage
Unintentional ThreatsNatural Disasters: Heat • Incidents of over-temperature are, by far, the most commonly reported cause of computer down-time. • Caused by poor room planning (inadequate air conditioning) • Catastrophic failure of air conditioning • Failure of fans within computing devices • Blockage of air ducts providing cooling air to the room • The conditions are not apparent to in-room personnel, and often remain undetected until damage occurs.
Unintentional ThreatsNatural Disasters: Smoke & Fire • Smoke and Fire present obvious hazards to the Computer installation. • Smoke particles deposited on disk and tape surfaces can render the recorded data unrecoverable. • Excessive heat can also damage recording media, and cause immediate failure of computer electronics. • The interruption of operations during a disk or tape write cycle can destroy the contents of open files.
Unintentional ThreatsNatural Disasters: Humidity • Poor quality of power with large fluctuations in voltage as well as noise due to electrical noise from other devices • Power fluctuations can cause stress on electronic components and degrade them • Power fluctuations can also cause temporary shutdown of equipment • Power noise and fluctuations can be reduced by using electronic devices
Unintentional ThreatsEnvironmental Conditions • Definition: Negative effects of environmental conditions. E.g. contamination, electronic interference, temperature and humidity extremes, power failure, power fluctuations • Typical Behaviors • Chemical corrosion • Introduction of glitches or errors in data • Equipment failure • Availability of information can be compromised • Adverse Health Effects
Unintentional ThreatsEnvironmental Conditions, cont’d. • Vulnerabilities • Storing data and processing facilities in known location where natural disasters tend to occur • No fire/smoke detectors • No Uninterruptible Power Supply (UPS) • No business continuity plans • Back-up files and systems are unavailable • Prevention • Location is not susceptible to environmental conditions • Countermeasures • Backup copies of software and data • Storage of data is located in another location • Have a business continuity plan in place • Maintain business equipment and facilities • UPS equipment
Unintentional ThreatsSummary • Unintentional threats can still have an impact on information systems security. • Threats such as user error can occur more frequently and should not be overlooked when doing risk analysis. • Examples of unintentional threats include natural disasters, environmental conditions, employees who make mistakes in writing code or installing software or simply unexpected failure of software or equipment.