Forum

Notifications
Clear all
3 Posts
1 Users
0 Likes
45.6 K Views
Posts: 108
Topic starter
(@taichi)
Member
Joined: 4 years ago

This list of threats and vulnerabilities can serve as a help for implementing risk assessment within the framework of ISO 27001 or ISO 22301. This list is not final – each organization must add their own specific threats and vulnerabilities that endanger the confidentiality, integrity and availability of their assets.

Threats

Below is a list of threats – this is not a definitive list, it must be adapted to the individual organization:

  • Access to the network by unauthorized persons
  • Bomb attack
  • Bomb threat
  • Breach of contractual relations
  • Breach of legislation
  • Compromising confidential information
  • Concealing user identity
  • Damage caused by a third party
  • Damages resulting from penetration testing
  • Destruction of records
  • Disaster (human caused)
  • Disaster (natural)
  • Disclosure of information
  • Disclosure of passwords
  • Eavesdropping
  • Embezzlement
  • Errors in maintenance
  • Failure of communication links
  • Falsification of records
  • Fire
  • Flood
  • Fraud
  • Industrial espionage
  • Information leakage
  • Interruption of business processes
  • Loss of electricity
  • Loss of support services
  • Malfunction of equipment
  • Malicious code
  • Misuse of information systems
  • Misuse of audit tools
  • Pollution
  • Social engineering
  • Software errors
  • Strike
  • Terrorist attacks
  • Theft
  • Thunderstroke
  • Unintentional change of data in an information system
  • Unauthorized access to the information system
  • Unauthorized changes of records
  • Unauthorized installation of software
  • Unauthorized physical access
  • Unauthorized use of copyright material
  • Unauthorized use of software
  • User error
  • Vandalism

 

Vulnerabilities

Below is a list of vulnerabilities – this is not a definitive list, it must be adapted to the individual organization:

  • Complicated user interface
  • Default passwords not changed
  • Disposal of storage media without deleting data
  • Equipment sensitivity to changes in voltage
  • Equipment sensitivity to moisture and contaminants
  • Equipment sensitivity to temperature
  • Inadequate cabling security
  • Inadequate capacity management
  • Inadequate change management
  • Inadequate classification of information
  • Inadequate control of physical access
  • Inadequate maintenance
  • Inadequate network management
  • Inadequate or irregular backup
  • Inadequate password management
  • Inadequate physical protection
  • Inadequate protection of cryptographic keys
  • Inadequate replacement of older equipment
  • Inadequate security awareness
  • Inadequate segregation of duties
  • Inadequate segregation of operational and testing facilities
  • Inadequate supervision of employees
  • Inadequate supervision of vendors
  • Inadequate training of employees
  • Incomplete specification for software development
  • Insufficient software testing
  • Lack of access control policy
  • Lack of clean desk and clear screen policy
  • Lack of control over the input and output data
  • Lack of internal documentation
  • Lack of or poor implementation of internal audit
  • Lack of policy for the use of cryptography
  • Lack of procedure for removing access rights upon termination of employment
  • Lack of protection for mobile equipment
  • Lack of redundancy
  • Lack of systems for identification and authentication
  • Lack of validation of the processed data
  • Location vulnerable to flooding
  • Poor selection of test data
  • Single copy
  • Too much power in one person
  • Uncontrolled copying of data
  • Uncontrolled download from the Internet
  • Uncontrolled use of information systems
  • Undocumented software
  • Unmotivated employees
  • Unprotected public network connections
  • User rights are not reviewed regularly
2 Replies
Posts: 108
Topic starter
(@taichi)
Member
Joined: 4 years ago

Information Technology Threats and VulnerabilitiesAudience: anyone requesting, conducting or participating in an IT risk assessment.

Introduction

A threat and a vulnerability are not one and the same. A threat is a person or event that has the potential for impacting a valuable resource in a negative manner. A vulnerability is that quality of a resource or its environment that allows the threat to be realized. An armed bank robber is an example of a threat. A bank teller is an example of a valuable resource that may be vulnerable during a bank robbery. Bullet-proof glass between the robber and the teller denies the robber the opportunity to shoot the teller. The threat remains present, but one of its harmful effects (a gun shot) has been mitigated by a protection mechanism (the glass).

In system and network security, the threats remain present but are mitigated through the proper use of security features and procedures. Mitigation is any effort to prevent the threat from having a negative impact, or to limit the damage where total prevention is not possible, or to improve the speed or effectiveness of the recovery effort.

Hardware and software systems and the data they process can be vulnerable to a wide variety of threats. The selection of security features and procedures must be based not only on general security objectives but also on the specific vulnerabilities of the system in question in light of the threats to which the system is exposed. It is possible to over-protect, which only wastes resources and inconveniences users.

As you can see, there is a relationship between threats and vulnerabilities. Sometimes it is easier to examine each potential threat and determine the extent to which you are vulnerable (e.g. fire, flood, earthquake). In other cases it is easier to look for potential vulnerabilities with no particular threat in mind (e.g. improper mounting of equipment, media failure, data entry error). In order to arrive at a complete risk assessment, both perspectives must be examined. Threats and vulnerabilities are intermixed in the following list and can be referred to collectively as potential "security concerns."

For ease of discussion and use, concerns can be divided into four categories. Environmental concerns include undesirable site-specific chance occurrences such as lightning, dust and sprinkler activation. Physical concerns include undesirable site-specific personnel actions, either intentional or unintentional, such as theft, vandalism and trip hazards. Site-Support concerns include foundational site aspects such as electrical power, telephone service and climate control. These three categories of concerns are generally not resolvable as part of system design and administration - they are more appropriately addressed as part of facility design and maintenance, thereby encompassing all systems present.

The final category, Technical concerns, includes insidious system-specific situations such as improper system operation, malicious software and line tapping. The actual threats are few: untrained and nefarious users and system calamities. It is far more useful to explore the many avenues (vulnerabilities) open to these users and events, and to consider ways to prevent these occurrences and/or provide for rapid recovery.

The following list is meant to be used as a starting point in any IT risk assessment. Each potential concern must be evaluated for a particular site or system to determine the extent to which it applies. The probability of its occurrence, coupled with the projected impact of the event and the cost of the appropriate mitigation yields a prioritized list of security concerns that should be addressed.

Environmental (undesirable site-specific chance occurrences)

  • Fire
  • Flood
  • Tsunami
  • Earthquake
  • Volcanic Eruptions
  • Lightning
  • Severe Weather
  • Smoke
  • Dust
  • Insects
  • Rodents
  • Chemical Fumes
  • Sprinkler Activation
  • Water Leakage - pipe breakage, hole in roof, condensation
  • Explosion - nearby gas line, chemical plant, tank farm, munitions depot
  • Vibration - nearby railroad track, jet traffic, construction site
  • Electromagnetic Interference - suggested by poor radio reception or jittery workstation displays
  • Electrostatic Discharge - suggested by "sparking" to grounded objects

Physical (undesirable site-specific personnel actions)

  • Unauthorized Facility Access
  • Theft
  • Vandalism
  • Sabotage
  • Extortion
  • Terrorism / Bomb Threat
  • Labor Unrest - employees and support contractors
  • War / Civil Unrest
  • Improper Transportation - equipment dropped, submerged, exposed to weather or X-rayed in transit
  • Improper Mounting/Storage - equipment exposed to bumps, kicks or weather
  • Spillage / Droppage - hazardous materials permitted near equipment (e.g. food, liquids)
  • Magnets / Magnetic Tools - can erase data or damage sensitive equipment
  • Collision - fork lift, auto, plane, wheelchair
  • Trip Hazards / Falls - equipment poses personnel hazards
  • Fire Hazards - flammable materials stored nearby

Site-Support (foundational site aspects)

  • Power Outage
  • Extreme / Unstable Temperatures
  • Extreme / Unstable Humidity
  • Unsafe Environment - unfit for human occupation
  • Facility Inaccessibility - blocked ingress
  • Inability to Cut Power - during fire, flood, etc.
  • Electrical Noise / Bad Ground - suggested by flickering lights or jittery workstation displays
  • Improper Maintenance - unqualified support or preventive maintenance behind schedule
  • Personnel Unavailability - inability to contact operations or support personnel
  • Telephone Failure - inability to contact site from outside, inability to call out, service completely unavailable
  • Inappropriate Fire Suppression - water, foam, PKP, Halon
  • Inappropriate Trash Disposal - sensitive data released in an unauthorized manner

Technical (insidious system-specific situations)

  • Improper / Inadequate Procedure - foreseeable events not supported by complete and accurate documentation and training
  • Improper Operation - operating equipment beyond capacity or outside of manufacturer's constraints
  • Improper Hardware Configuration - prescribed hardware configured in other than the prescribed manner during installation
  • Improper Software Configuration - prescribed software configured in other than the prescribed manner during installation
  • Unauthorized Hardware / Modification - adding other-than-prescribed hardware or making unauthorized hardware modifications
  • Unauthorized Software / Modification - adding other-than-prescribed software or making unauthorized software modifications
  • Unauthorized Software Duplication - creating copies of licensed software that are not covered by a valid license
  • Unauthorized Logical Access - acquiring the use of a system for which no access has been authorized (as opposed to gaining physical access to the hardware)
  • Malfeasance (exceeding authorizations) - acquiring the use of a system in excess of that which has been authorized
  • Unsanctioned Use / Exceeding Licensing - utilizing authorized system resources for unauthorized purposes (resume, church bulletin, non-job-related e-mail or Internet browsing) or exceeding a user licensing agreement
  • Over- or Under-Classification - labeling of a resource at a higher or lower level of sensitivity than appropriate
  • Malicious Software - software whose purpose is to degrade system performance, modify or destroy data, steal resources or subvert security in any manner
  • Hardware Error / Failure [functionality] - hardware that stops providing the desired user services/resources
  • Hardware Error / Failure [security] - hardware that stops providing the desired security services/resources
  • Software Error / Failure [functionality] - software that stops providing the desired user services/resources
  • Software Error / Failure [security] - software that stops providing the desired security services/resources
  • Media Failure - storage media that stops retaining stored information in a retrievable/intact manner
  • Data Remanence - storage media that retains stored information in a retrievable/intact manner longer than desired (failure to totally erase)
  • Object Reuse - a system providing the user with a storage object (e.g. memory or disk space) that contains useful information belonging to another user
  • Communications Failure / Overload - a communications facility that stops providing service or is unable to provide service at the requested capacity
  • Communications Error - a communications facility that provides inaccurate service
  • Data Entry Error - a system accepting erroneous data as legitimate
  • Accidental Software Modification / Deletion - deleting or otherwise making unavailable necessary software
  • Accidental Data Modification / Deletion - deleting or otherwise making unavailable necessary data
  • Accidental Data Disclosure - inadvertently revealing sensitive data to an unauthorized user
  • Repudiation - participating in a process or transaction but then denying having done so
  • Masquerading - participating in a process or transaction but posing as another user
  • Message Playback - recording a legitimate transmission for retransmission at a later time in an attempt to gain unauthorized privileges
  • Message Flooding - generating an inordinately large quantity of transmissions in an attempt to make a system or service unavailable due to overload
  • Line Tapping - connecting to a communications facility in an unauthorized manner in an attempt to glean useful information
  • Electronic Emanations - information-bearing spurious emissions associated with all electronic equipment (prevented by TEMPEST equipment or shielding)
  • Geo-location - a system inadvertently revealing the current physical location of a user

    NOTE: The above list of Technical concerns is somewhat generic but is useful during system design and remains useful at a high level during system audits; a more detailed list of system-specific vulnerabilities would be so long and dynamic as to be unmanageable - automated tools should be used to identify operating system-, application- and middle-ware-specific vulnerabilities.

 

Reply
Posts: 108
Topic starter
(@taichi)
Member
Joined: 4 years ago

Information security vulnerabilities are weaknesses that expose an organization to risk. Understanding your vulnerabilities is the first step to managing risk.

Employees

1. Social interaction
2. Customer interaction
3. Discussing work in public locations
4. Taking data out of the office (paper, mobile phones, laptops)
5. Emailing documents and data
6. Mailing and faxing documents
7. Installing unauthorized software and apps
8. Removing or disabling security tools
9. Letting unauthorized persons into the office (tailgating)
10. Opening spam emails
11. Connecting personal devices to company networks
12. Writing down passwords and sensitive data
13. Losing security devices such as id cards
14. Lack of information security awareness
15. Keying data

Former Employees

1. Former employees working for competitors
2. Former employees retaining company data
3. Former employees discussing company matters

Technology

1. Social networking
2. File sharing
3. Rapid technological changes
4. Legacy systems
5. Storing data on mobile devices such as mobile phones
6. Internet browsers

Hardware

1. Susceptibility to dust, heat and humidity
2. Hardware design flaws
3. Out of date hardware
4. Misconfiguration of hardware

Software

1. Insufficient testing
2. Lack of audit trail
3. Software bugs and design faults
4. Unchecked user input
5. Software that fails to consider human factors
6. Software complexity (bloatware)
7. Software as a service (relinquishing control of data)
8. Software vendors that go out of business or change ownership

Network

1. Unprotected network communications
2. Open physical connections, IPs and ports
3. Insecure network architecture
4. Unused user ids
5. Excessive privileges
6. Unnecessary jobs and scripts executing
7. Wifi networks

IT Management

1. Insufficient IT capacity
2. Missed security patches
3. Insufficient incident and problem management
4. Configuration errors and missed security notices
5. System operation errors
6. Lack of regular audits
7. Improper waste disposal
8. Insufficient change management
9. Business process flaws
10. Inadequate business rules
11. Inadequate business controls
12. Processes that fail to consider human factors
13. Overconfidence in security audits
14. Lack of risk analysis
15. Rapid business change
16. Inadequate continuity planning
17. Lax recruiting processes

Partners and Suppliers

1. Disruption of telecom services
2. Disruption of utility services such as electric, gas, water
3. Hardware failure
4. Software failure
5. Lost mail and courier packages
6. Supply disruptions
7. Sharing confidential data with partners and suppliers

Customers

1. Customers access to secure areas
2. Customer access to data (ie. customer portal)

Offices and Data Centers

1. Sites that are prone to natural disasters such as earthquakes
2. Locations that are politically unstable
3. Locations subject to government spying
4. Unreliable power sources
5. High crime areas
6. Multiple sites in the same geographical location

Reply
Share: