1 / 20

Unit Outline Information Security Risks, Part II

Unit Outline Information Security Risks, Part II. Module 1: Password Security Module 2: Wireless Security  Module 3: Unintentional Threats Module 4: Insider Threats Module 5: Miscellaneous Threats Module 6: Summary. Module 3 Unintentional Threats.

melva
Download Presentation

Unit Outline Information Security Risks, Part II

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Unit OutlineInformation Security Risks, Part II Module 1: Password Security Module 2: Wireless Security  Module 3: Unintentional Threats Module 4: Insider Threats Module 5: Miscellaneous Threats Module 6: Summary

  2. Module 3Unintentional Threats

  3. Unintentional ThreatsLearning Objectives • Students should be able to: • Identify various types of unintentional threats • (i.e. equipment failure, software failure, user error, failure of communications services, failure to outsource operations, loss or absence of key personnel, misrouting/re-routing of messages, natural disasters, and environmental conditions) • Understand the impact of unintentional threats • Determine relevant controls for unintentional threats

  4. Unintentional ThreatsSoftware Failures • Definition: Software behavior is in conflict with intended behavior • Typical Behaviors: • Immediate loss of data due to abnormal end • Repeated failures when faulty data used again • Vulnerabilities: Poor software development practices • Prevention: • Enforce strict software development practices • Comprehensive software testing procedures • Detection: Use software diagnostic tools • Countermeasures • Backup software • Good software development practices • Regression Testing

  5. Unintentional ThreatsEquipment Failure • Definition: • Hardware operates in abnormal, unintended • Typical Behaviors: • Immediate loss of data due to abnormal shutdown. Continuing loss of capability until equipment is repaired • Vulnerabilities: • Vital peripheral equipment is often more vulnerable that the computers themselves • Prevention: • Replication of entire system including all data and recent transaction • Detention: • Hardware diagnostic systems

  6. Unintentional ThreatsUser Error • Definition: • Inadvertent alteration, manipulation or destruction of programs, data files or hardware • Typical Behaviors • Incorrect data entered into system or incorrect behavior of system • Vulnerabilities • Poor user documentation or training • Prevention: • Enforcement of training policies and separation of programmer/operator duties • Detection • Audit trails of system transactions • Countermeasures • Backup copies of software and data • On-site replication of hardware

  7. Unintentional ThreatsFailure of Communications Services • Prevention: • Maintain communications equipment • Countermeasures • Use an Uninterrupted Power Supply (UPS) • Perform continuous back-ups. • Plan and implement communications cabling well • Enforce network management • Definition: Disallowing of communication between various sites, messages to external parties, access to information, applications and data stored on network storage devices. • Typical Behaviors • Loss of communications service can lead to loss of availability of information. • Caused by accidental damage to network, hardware or software failure, environmental damage, or loss of essential services • Vulnerabilities • Lack of redundancy and back-ups • Inadequate network management • Lack of planning and implementation of communications cabling • Inadequate incident handling

  8. Unintentional ThreatsMisrouting/Re-routing of messages • Definition: • Accidental directing or re-routing of messages • Typical Behaviors: • Can lead to loss of confidentiality of messages are not protected and loss of availability to the intended recipient. • Vulnerabilities: • Inadequate user training • Non-encrypted sensitive data • Lack of message receipt proof • Prevention: • Train users in policies • Countermeasures: • Encrypt sensitive data • User receipts

  9. Unintentional ThreatsFailure in Outsourced Operations • Definition: Outsourcing of operations must include security requirements and responsibilities • Typical Behaviors • Failure of outsourced operations can result in loss of availability, confidentiality and integrity of information • Vulnerabilities • Unclear obligations in outsourcing agreements • Non business continuity plans or procedures for information and information asset recovery. • Back up files and systems not available. • Prevention: • Create clear outsourcing agreements • Countermeasures • Implement an effective business continuity plan • Back up files and system

  10. Unintentional ThreatsLoss or Absence of Key Personnel • Definition: • Critical personnel are integral to the provision of company services • Typical Behaviors: • Absence or loss of personnel can lead to loss of availability, confidentiality, integrity, and reliability. • Vulnerabilities: • No backup of key personnel • Undocumented procedures • Lack of succession planning • Prevention • Maintain redundancy of personnel skills • Countermeasures • Document procedures • Plan for succession

  11. Unintentional ThreatsNatural Disasters • Definition: Environmental condition which causes catastrophic damage. E.g. earthquakes, fire, flood, storms, tidal waves. • Typical Behaviors • Physical Damage • Loss of data, documentation, and equipment • Loss of availability of information (leads to loss of trust, financial loss, legal liability) • Vulnerabilities • Storing data and processing facilities in known location where natural disasters tend to occur • No fire/smoke detectors • No business continuity plans • Back-up files and systems are unavailable

  12. Unintentional ThreatsNatural Disasters, cont’d. • Prevention: • Location is not known to be a place of natural disasters • Detection • Weather Advisories • Fire/Smoke Alarms • Countermeasures • Backup copies of software and data • Storage of data is located in another location • Have a business continuity plan in place

  13. Unintentional ThreatsNatural Disasters: Humidity • Both excess and insufficient Humidity in the computer room can threaten system reliability. • Too much moisture in the air can accelerate oxidation of electronic circuits, conductors and connectors • Moisture can also provide high-resistance current paths that make circuits perform unpredictably. • Lack of moisture increases the potential for equipment damage due to static electricity.

  14. Unintentional ThreatsNatural Disasters: Water Damage • Water damage can be caused by common events such as rupturing of water pipes, leakage at pipe joints, or rain leaks from the roof • Water damage can also be caused due to excess vapor condensation within air-conditioning equipment. • Computer rooms protected by sprinkler systems are also susceptible to this additional water hazard. • Even in raised floor computer rooms cable couplings that link computing devices can suffer from water damage

  15. Unintentional ThreatsNatural Disasters: Heat • Incidents of over-temperature are, by far, the most commonly reported cause of computer down-time. • Caused by poor room planning (inadequate air conditioning) • Catastrophic failure of air conditioning • Failure of fans within computing devices • Blockage of air ducts providing cooling air to the room • The conditions are not apparent to in-room personnel, and often remain undetected until damage occurs.

  16. Unintentional ThreatsNatural Disasters: Smoke & Fire • Smoke and Fire present obvious hazards to the Computer installation. • Smoke particles deposited on disk and tape surfaces can render the recorded data unrecoverable. • Excessive heat can also damage recording media, and cause immediate failure of computer electronics. • The interruption of operations during a disk or tape write cycle can destroy the contents of open files.

  17. Unintentional ThreatsNatural Disasters: Humidity • Poor quality of power with large fluctuations in voltage as well as noise due to electrical noise from other devices • Power fluctuations can cause stress on electronic components and degrade them • Power fluctuations can also cause temporary shutdown of equipment • Power noise and fluctuations can be reduced by using electronic devices

  18. Unintentional ThreatsEnvironmental Conditions • Definition: Negative effects of environmental conditions. E.g. contamination, electronic interference, temperature and humidity extremes, power failure, power fluctuations • Typical Behaviors • Chemical corrosion • Introduction of glitches or errors in data • Equipment failure • Availability of information can be compromised • Adverse Health Effects

  19. Unintentional ThreatsEnvironmental Conditions, cont’d. • Vulnerabilities • Storing data and processing facilities in known location where natural disasters tend to occur • No fire/smoke detectors • No Uninterruptible Power Supply (UPS) • No business continuity plans • Back-up files and systems are unavailable • Prevention • Location is not susceptible to environmental conditions • Countermeasures • Backup copies of software and data • Storage of data is located in another location • Have a business continuity plan in place • Maintain business equipment and facilities • UPS equipment

  20. Unintentional ThreatsSummary • Unintentional threats can still have an impact on information systems security. • Threats such as user error can occur more frequently and should not be overlooked when doing risk analysis. • Examples of unintentional threats include natural disasters, environmental conditions, employees who make mistakes in writing code or installing software or simply unexpected failure of software or equipment.

More Related