are increasingly using Information Technology to improve communications
and increase profitability. However, although companies can benefit from
the application of IT, the increased use of IT also increases the risk
of a security breach.
system threats are many and varied. A threat is a danger, which could
affect the security (confidentiality, integrity, availability) of IT
assets, leading to a potential loss or damage.
loss or outages from NEPA, can cause data loss; fluctuations in power
supply damage both data and equipment. Power problems may also affect
air-condition systems which are required to maintain proper
environmental conditions in the computing equipment. Fire is also a
could also be saboteurs from within an organization or those who
infiltrate a company's computing network from outside to destroy
valuable data, or introduce virus. There are also threats that arise
from careless mistakes of staff. “Often,
the cases of deliberate acts are the most serious, as they have been
planned to avoid detection and cause the maximum damage”.
types of threats can be identified. The first type is the general
threat. This could result from human error. Human error results in
accidental destruction, modification, disclosure, or incorrect
classification of information.
this category errors occur due to ignorance. Like the overused but still
relevant cliché states, “if you think education is expensive try
ignorance.” Ignorance could be due to inadequate security awareness,
lack of security guidelines, lack of proper documentation, lack of
knowledge (even on the part of systems staff). Often lack of knowledge
results in incorrect system configuration.
It is a low level of security awareness that makes users
inadvertently give information on security weaknesses to attackers.
related fraud is on the increase. If staffs are dishonest, the fruits
are IT fraud, theft, embezzlement, illegal selling of confidential
corporate information and systems.
Dishonesty can be a killer! Dishonest employees have been known
to use IT to bring organizations to their knees.
to earlier mentioned threats is that of inferior security management. It
isn’t enough to acquire sophisticated IT equipment. Exposure to IT
related failure is high, if the security policy is inadequate, or not
enforced. What is management’s attitude towards IT security and its
enforcement? Is IT security policy effective or is it simply ceremonial,
or for audit purposes?
from general threats it is possible to isolate
Common sources of these threats are hackers. Hacking is the
process of accessing computer systems by persons who have no legitimate
access to the system, or at least not to that part of the system. It may
be carried out by people outside the organization or by insiders who are
users of the system but who attempt to gain access to parts of the
system they are not authorized to access. Access may mean exploiting
facilities provided by the system, or exploiting flaws in the security
mechanism of the system, or guessing or obtaining the log-on names and
password of legitimate users. The aims of hackers are to obtain
confidential information; to commit fraud; to cause disruption to the
target organization; or for intellectual amusement. There’ve been
several well-publicized example of hacking in the US and in Europe.
Are your hackers “home-based” or foreign?
reliable is your IT service? Another group of threats are classified as
Reliability of Service (ROS) Threats. Are systems up and running when
required? ROS is a major problem affecting electronic banking in Nigeria
today. In quite a number of banks with huge IT investments, system
availability is quite low. For many it is the usual “the system is
down” refrain that seems to be the norm.
threats include natural disasters such as Fire, flood, earthquake, etc. ROS is equally affected by man-made disasters such as War,
Bombs, civil disturbance, dangerous chemicals, nuclear accidents, etc.
Any disaster will affect your ability to benefit from your IT
equipment failure due to defective hardware, cabling, or communications
system, NITEL, etc. will definitely result in ROS problems. If equipment
fails due to malfunctioning air-conditioning system, or poor
environmental conditions, again ROS is affected.
quality of service delivered by public infrastructure is poor, ROS will
always be a major threat. A common ROS problem in Nigeria is Power
supply failure. Which is
the backup, NEPA, or generator? ROS threats can result from the failure
is a major threat to IT security if IT service provision is poor. What
is the quality of IT service, i.e. from an IT or Internet provider? If
your business is dependent on Internet access, your ISP must always
provide high quality Internet service.
is another threat that can affect ROS. Malicious damage of information
or information processing functions such as physical destruction of
network interface devices, cables; physical destruction of computing
devices or media; theft; deliberate electrical overloads or shutting off
electrical power can all affect reliability of service.
in software can cause ROS problems. This is especially so if the
software is relatively new and if it didn’t undergo rigorous testing
before it was released.
computer programs such as viruses have seriously affected
organizations’ ability to use IT. An attack can render an
organization’s IT infrastructure impotent for a significant amount of
time. As it is said, time is money, don’t let viruses waste your
money. There is an alarming increase in the development viruses (in
programs, documents and email attachments).
With the advent and widespread use of the Internet, virus attacks
are having immediate worldwide impact.
Other hostile computer programs are Trojan horse, logic bomb and
group of threats are privacy threats, i.e. unauthorized monitoring of
sensitive data crossing the Internal network, unknown to the data owner,
or unauthorized reading of electronic mail. If you use IT, how private
is your data, or your customer’s data? How easy is it for your
sensitive information to get into the wrong hands?
Integrity/Accuracy threats are those that result from
deliberate damage of information or information processing functions
from internal or external sources.
Integrity / accuracy problems occur when there is deliberate
modification of information, either done externally or internally.
Examples include creating phony account balances, unauthorized
deletion of transactions, or modification of accounting procedures. Does
your system produce exception reports, or have audit facilities? IT
security is nil if information produced by the system is of doubtful
Control threats can result from password cracking. Security is
compromised through careless handling of password files, or use of bad
passwords. Access control
threats could be through attack programs allowing internal access, or
external access to systems. Developers
can also cause access control problems by creating unsecured maintenance
modes in the software. Bugs in network software can open
unknown/unexpected security holes.
control problems can occur from unauthorized physical access to Systems.
Where are systems kept? Are they in a free for all zones, without any
physical security cover?
group of threats are repudiation (denial) threats: Receivers of
confidential information may refuse to acknowledge receipt. Senders of
confidential information may refuse to acknowledge the source.
last group of threats is legal threats. Companies run into problems when
they fail to comply with regulatory or legal requirements. Also many
countries' law forbids (especially over the Internet) incitement to
racism, gambling, money laundering or the use of, or distribution of,
pornographic or violent material. You may be liable if internal users or
attackers abuse your systems to these ends.
The impact of these threats differs. But after a threat impacts heavily on your bottom line, it is no longer a threat but a disaster.
Link to this Content/Resource
We appreciate you notifying other webmasters about our Content and Resources. You can even link directly to this content article!