Unit Outline Information Security Risks, Part II

1
Unit OutlineInformation Security Risks, Part II

• Module 1 Password Security
• Module 2 Wireless Security
• ? Module 3 Unintentional Threats
• Module 4 Insider Threats
• Module 5 Miscellaneous Threats
• Module 6 Summary

2
Module 3Unintentional Threats
3
Unintentional ThreatsLearning Objectives

• Students should be able to
• Identify various types of unintentional threats
• (i.e. equipment failure, software failure, user
  error, failure of communications services,
  failure to outsource operations, loss or absence
  of key personnel, misrouting/re-routing of
  messages, natural disasters, and environmental
  conditions)
• Understand the impact of unintentional threats
• Determine relevant controls for unintentional
  threats

4
Unintentional ThreatsSoftware Failures

• Definition Software behavior is in conflict with
  intended behavior
• Typical Behaviors
• Immediate loss of data due to abnormal end
• Repeated failures when faulty data used again
• Vulnerabilities Poor software development
  practices
• Prevention
• Enforce strict software development practices
• Comprehensive software testing procedures
• Detection Use software diagnostic tools
• Countermeasures
• Backup software
• Good software development practices
• Regression Testing

5
Unintentional ThreatsEquipment Failure

• Definition
• Hardware operates in abnormal, unintended
• Typical Behaviors
• Immediate loss of data due to abnormal shutdown.
  Continuing loss of capability until equipment is
  repaired
• Vulnerabilities
• Vital peripheral equipment is often more
  vulnerable that the computers themselves
• Prevention
• Replication of entire system including all data
• and recent transaction
• Detention
• Hardware diagnostic systems

6
Unintentional ThreatsUser Error

• Definition
• Inadvertent alteration, manipulation or
  destruction of programs, data files or hardware
• Typical Behaviors
• Incorrect data entered into system or incorrect
  behavior of system
• Vulnerabilities
• Poor user documentation or training
• Prevention
• Enforcement of training policies and separation
  of programmer/operator duties
• Detection
• Audit trails of system transactions
• Countermeasures
• Backup copies of software and data
• On-site replication of hardware

7
Unintentional ThreatsFailure of Communications
Services

• Definition Disallowing of communication between
  various sites, messages to external parties,
  access to information, applications and data
  stored on network storage devices.
• Typical Behaviors
• Loss of communications service can lead to loss
  of availability of information.
• Caused by accidental damage to network, hardware
  or software failure, environmental damage, or
  loss of essential services
• Vulnerabilities
• Lack of redundancy and back-ups
• Inadequate network management
• Lack of planning and implementation of
  communications cabling
• Inadequate incident handling

• Prevention
• Maintain communications equipment
• Countermeasures
• Use an Uninterrupted Power Supply (UPS)
• Perform continuous back-ups.
• Plan and implement communications cabling well
• Enforce network management

8
Unintentional ThreatsMisrouting/Re-routing of
messages

• Definition
• Accidental directing or re-routing of messages
• Typical Behaviors
• Can lead to loss of confidentiality of messages
  are not protected and loss of availability to the
  intended recipient.
• Vulnerabilities
• Inadequate user training
• Non-encrypted sensitive data
• Lack of message receipt proof
• Prevention
• Train users in policies
• Countermeasures
• Encrypt sensitive data
• User receipts

9
Unintentional ThreatsFailure in Outsourced
Operations

• Definition Outsourcing of operations must
  include security requirements and
  responsibilities
• Typical Behaviors
• Failure of outsourced operations can result in
  loss of availability, confidentiality and
  integrity of information
• Vulnerabilities
• Unclear obligations in outsourcing agreements
• Non business continuity plans or procedures for
  information and information asset recovery.
• Back up files and systems not available.
• Prevention
• Create clear outsourcing agreements
• Countermeasures
• Implement an effective business continuity plan
• Back up files and system

10
Unintentional ThreatsLoss or Absence of Key
Personnel

• Definition
• Critical personnel are integral to the provision
  of company services
• Typical Behaviors
• Absence or loss of personnel can lead to loss of
  availability, confidentiality, integrity, and
  reliability.
• Vulnerabilities
• No backup of key personnel
• Undocumented procedures
• Lack of succession planning
• Prevention
• Maintain redundancy of personnel skills
• Countermeasures
• Document procedures
• Plan for succession

11
Unintentional ThreatsNatural Disasters

• Definition Environmental condition which causes
  catastrophic damage. E.g. earthquakes, fire,
  flood, storms, tidal waves.
• Typical Behaviors
• Physical Damage
• Loss of data, documentation, and equipment
• Loss of availability of information (leads to
  loss of trust, financial loss, legal liability)
• Vulnerabilities
• Storing data and processing facilities in known
• location where natural disasters tend to occur
• No fire/smoke detectors
• No business continuity plans
• Back-up files and systems are unavailable

12
Unintentional ThreatsNatural Disasters, contd.

• Prevention
• Location is not known to be a place of natural
  disasters
• Detection
• Weather Advisories
• Fire/Smoke Alarms
• Countermeasures
• Backup copies of software and data
• Storage of data is located in another location
• Have a business continuity plan in place

13
Unintentional ThreatsNatural Disasters Humidity

• Both excess and insufficient Humidity in the
  computer room can threaten system reliability.
• Too much moisture in the air can accelerate
  oxidation of electronic circuits, conductors and
  connectors
• Moisture can also provide high-resistance current
  paths that make circuits perform unpredictably.
• Lack of moisture increases the potential
• for equipment damage due to static electricity.

14
Unintentional ThreatsNatural Disasters Water
Damage

• Water damage can be caused by common events such
  as rupturing of water pipes, leakage at pipe
  joints, or rain leaks from the roof
• Water damage can also be caused due to excess
  vapor condensation within air-conditioning
  equipment.
• Computer rooms protected by sprinkler systems are
  also susceptible to this additional water hazard.
  
• Even in raised floor computer rooms cable
  couplings that link computing devices can suffer
  from water damage

15
Unintentional ThreatsNatural Disasters Heat

• Incidents of over-temperature are, by far, the
  most commonly reported cause of computer
  down-time.
• Caused by poor room planning (inadequate air
  conditioning)
• Catastrophic failure of air conditioning
• Failure of fans within computing devices
• Blockage of air ducts providing cooling air to
  the room
• The conditions are not apparent to in-room
  personnel, and often remain undetected until
  damage occurs.

16
Unintentional ThreatsNatural Disasters Smoke
Fire

• Smoke and Fire present obvious hazards to the
  Computer installation.
• Smoke particles deposited on disk and tape
  surfaces can render the recorded data
  unrecoverable.
• Excessive heat can also damage recording media,
  and cause immediate failure of computer
  electronics.
• The interruption of operations during a disk or
  tape write cycle can destroy the contents of open
  files.

17
Unintentional ThreatsNatural Disasters Humidity

• Poor quality of power with large fluctuations in
  voltage as well as noise due to electrical noise
  from other devices
• Power fluctuations can cause stress on electronic
  components and degrade them
• Power fluctuations can also cause temporary
  shutdown of equipment
• Power noise and fluctuations can be reduced by
  using electronic devices

18
Unintentional ThreatsEnvironmental Conditions

• Definition Negative effects of environmental
  conditions. E.g. contamination, electronic
  interference, temperature and humidity extremes,
  power failure, power fluctuations
• Typical Behaviors
• Chemical corrosion
• Introduction of glitches or errors in data
• Equipment failure
• Availability of information can be compromised
• Adverse Health Effects

19
Unintentional ThreatsEnvironmental Conditions,
contd.

• Vulnerabilities
• Storing data and processing facilities in known
  location where natural disasters tend to occur
• No fire/smoke detectors
• No Uninterruptible Power Supply (UPS)
• No business continuity plans
• Back-up files and systems are unavailable
• Prevention
• Location is not susceptible to environmental
  conditions
• Countermeasures
• Backup copies of software and data
• Storage of data is located in another location
• Have a business continuity plan in place
• Maintain business equipment and facilities
• UPS equipment

20
Unintentional ThreatsSummary

• Unintentional threats can still have an impact on
  information systems security.
• Threats such as user error can occur more
  frequently and should not be overlooked when
  doing risk analysis.
• Examples of unintentional threats include natural
  disasters, environmental conditions, employees
  who make mistakes in writing code or installing
  software or simply unexpected failure of software
  or equipment.