Unit Outline Information Security Risks, Part II Module 1: Password Security Module 2: Wireless Security Module 3: Unintentional Threats Module 4: Insider Threats Module 5: Miscellaneous Threats Module 6: Summary Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Module 3 Unintentional Threats Unintentional Threats Learning Objectives • Students should be able to: – Identify various types of unintentional threats • (i.e. equipment failure, software failure, user error, failure of communications services, failure to outsource operations, loss or absence of key personnel, misrouting/re-routing of messages, natural disasters, and environmental conditions) – Understand the impact of unintentional threats – Determine relevant controls for unintentional threats Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 3 Unintentional Threats Software Failures • Definition: Software behavior is in conflict with intended behavior • Typical Behaviors: – Immediate loss of data due to abnormal end – Repeated failures when faulty data used again • Vulnerabilities: Poor software development practices • Prevention: – Enforce strict software development practices – Comprehensive software testing procedures • Detection: Use software diagnostic tools • Countermeasures – Backup software – Good software development practices – Regression Testing Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 4 Unintentional Threats Equipment Failure • Definition: – • Typical Behaviors: – • Vital peripheral equipment is often more vulnerable that the computers themselves Prevention: – • Immediate loss of data due to abnormal shutdown. Continuing loss of capability until equipment is repaired Vulnerabilities: – • Hardware operates in abnormal, unintended Replication of entire system including all data and recent transaction Detention: – Hardware diagnostic systems Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 5 Unintentional Threats User Error • Definition: – • Typical Behaviors – • Enforcement of training policies and separation of programmer/operator duties Detection – • Poor user documentation or training Prevention: – • Incorrect data entered into system or incorrect behavior of system Vulnerabilities – • Inadvertent alteration, manipulation or destruction of programs, data files or hardware Audit trails of system transactions Countermeasures – – Backup copies of software and data On-site replication of hardware Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 6 Unintentional Threats Failure of Communications Services • • Definition: Disallowing of communication between various sites, messages to external parties, access to information, applications and data stored on network storage devices. • – • Typical Behaviors – Loss of communications service can lead to loss of availability of information. – Caused by accidental damage to network, hardware or software failure, environmental damage, or loss of essential services • Prevention: Maintain communications equipment Countermeasures – – – – Use an Uninterrupted Power Supply (UPS) Perform continuous back-ups. Plan and implement communications cabling well Enforce network management Vulnerabilities – Lack of redundancy and back-ups – Inadequate network management – Lack of planning and implementation of communications cabling – Inadequate incident handling Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 7 Unintentional Threats Misrouting/Re-routing of messages • Definition: – • Typical Behaviors: – • Inadequate user training Non-encrypted sensitive data Lack of message receipt proof Prevention: – • Can lead to loss of confidentiality of messages are not protected and loss of availability to the intended recipient. Vulnerabilities: – – – • Accidental directing or re-routing of messages Train users in policies Countermeasures: – – Encrypt sensitive data User receipts Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 8 Unintentional Threats Failure in Outsourced Operations • Definition: Outsourcing of operations must include security requirements and responsibilities • Typical Behaviors – • Vulnerabilities – – – • Unclear obligations in outsourcing agreements Non business continuity plans or procedures for information and information asset recovery. Back up files and systems not available. Prevention: – • Failure of outsourced operations can result in loss of availability, confidentiality and integrity of information Create clear outsourcing agreements Countermeasures – – Implement an effective business continuity plan Back up files and system Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 9 Unintentional Threats Loss or Absence of Key Personnel • Definition: – • Typical Behaviors: – • • Absence or loss of personnel can lead to loss of availability, confidentiality, integrity, and reliability. Vulnerabilities: – No backup of key personnel – Undocumented procedures – Lack of succession planning Prevention – • Critical personnel are integral to the provision of company services Maintain redundancy of personnel skills Countermeasures – Document procedures – Plan for succession Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 10 Unintentional Threats Natural Disasters • Definition: Environmental condition which causes catastrophic damage. E.g. earthquakes, fire, flood, storms, tidal waves. • Typical Behaviors – – – • Physical Damage Loss of data, documentation, and equipment Loss of availability of information (leads to loss of trust, financial loss, legal liability) Vulnerabilities – – – – Storing data and processing facilities in known location where natural disasters tend to occur No fire/smoke detectors No business continuity plans Back-up files and systems are unavailable Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 11 Unintentional Threats Natural Disasters, cont’d. • Prevention: – • Detection – – • Location is not known to be a place of natural disasters Weather Advisories Fire/Smoke Alarms Countermeasures – Backup copies of software and data – Storage of data is located in another location – Have a business continuity plan in place Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 12 Unintentional Threats Natural Disasters: Humidity • Both excess and insufficient Humidity in the computer room can threaten system reliability. – Too much moisture in the air can accelerate oxidation of electronic circuits, conductors and connectors – Moisture can also provide high-resistance current paths that make circuits perform unpredictably. Lack of moisture increases the potential for equipment damage due to static electricity. – Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 13 Unintentional Threats Natural Disasters: Water Damage • Water damage can be caused by common events such as rupturing of water pipes, leakage at pipe joints, or rain leaks from the roof • Water damage can also be caused due to excess vapor condensation within air-conditioning equipment. • Computer rooms protected by sprinkler systems are also susceptible to this additional water hazard. • Even in raised floor computer rooms cable couplings that link computing devices can suffer from water damage Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 14 Unintentional Threats Natural Disasters: Heat • Incidents of over-temperature are, by far, the most commonly reported cause of computer down-time. – Caused by poor room planning (inadequate air conditioning) – Catastrophic failure of air conditioning – Failure of fans within computing devices – Blockage of air ducts providing cooling air to the room – The conditions are not apparent to in-room personnel, and often remain undetected until damage occurs. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 15 Unintentional Threats Natural Disasters: Smoke & Fire • Smoke and Fire present obvious hazards to the Computer installation. • Smoke particles deposited on disk and tape surfaces can render the recorded data unrecoverable. • Excessive heat can also damage recording media, and cause immediate failure of computer electronics. • The interruption of operations during a disk or tape write cycle can destroy the contents of open files. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 16 Unintentional Threats Natural Disasters: Humidity • • Poor quality of power with large fluctuations in voltage as well as noise due to electrical noise from other devices – Power fluctuations can cause stress on electronic components and degrade them – Power fluctuations can also cause temporary shutdown of equipment Power noise and fluctuations can be reduced by using electronic devices Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 17 Unintentional Threats Environmental Conditions • Definition: Negative effects of environmental conditions. E.g. contamination, electronic interference, temperature and humidity extremes, power failure, power fluctuations • Typical Behaviors – Chemical corrosion – Introduction of glitches or errors in data – Equipment failure – Availability of information can be compromised – Adverse Health Effects Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 18 Unintentional Threats Environmental Conditions, cont’d. • Vulnerabilities – – – – – • Prevention – • Storing data and processing facilities in known location where natural disasters tend to occur No fire/smoke detectors No Uninterruptible Power Supply (UPS) No business continuity plans Back-up files and systems are unavailable Location is not susceptible to environmental conditions Countermeasures – – – – – Backup copies of software and data Storage of data is located in another location Have a business continuity plan in place Maintain business equipment and facilities UPS equipment Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 19 Unintentional Threats Summary • • • Unintentional threats can still have an impact on information systems security. Threats such as user error can occur more frequently and should not be overlooked when doing risk analysis. Examples of unintentional threats include natural disasters, environmental conditions, employees who make mistakes in writing code or installing software or simply unexpected failure of software or equipment. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 20