Unintentional Threats - University at Albany

advertisement
Unit Outline
Information Security Risks, Part II
Module 1: Password Security
Module 2: Wireless Security
 Module 3: Unintentional Threats
Module 4: Insider Threats
Module 5: Miscellaneous Threats
Module 6: Summary
Sanjay Goel, School of Business/Center for Information Forensics and Assurance
University at Albany Proprietary Information
1
Module 3
Unintentional Threats
Unintentional Threats
Learning Objectives
•
Students should be able to:
– Identify various types of unintentional threats
•
(i.e. equipment failure, software failure, user error, failure of
communications services, failure to outsource operations, loss or
absence of key personnel, misrouting/re-routing of messages,
natural disasters, and environmental conditions)
– Understand the impact of unintentional threats
– Determine relevant controls for unintentional threats
Sanjay Goel, School of Business/Center for Information Forensics and Assurance
University at Albany Proprietary Information
3
Unintentional Threats
Software Failures
•
Definition: Software behavior is in conflict with intended behavior
•
Typical Behaviors:
–
Immediate loss of data due to abnormal end
–
Repeated failures when faulty data used again
•
Vulnerabilities: Poor software development practices
•
Prevention:
–
Enforce strict software development practices
–
Comprehensive software testing procedures
•
Detection: Use software diagnostic tools
•
Countermeasures
–
Backup software
–
Good software development practices
–
Regression Testing
Sanjay Goel, School of Business/Center for Information Forensics and Assurance
University at Albany Proprietary Information
4
Unintentional Threats
Equipment Failure
•
Definition:
–
•
Typical Behaviors:
–
•
Vital peripheral equipment is often more vulnerable that the
computers themselves
Prevention:
–
•
Immediate loss of data due to abnormal shutdown. Continuing loss of
capability until equipment is repaired
Vulnerabilities:
–
•
Hardware operates in abnormal, unintended
Replication of entire system including all data
and recent transaction
Detention:
–
Hardware diagnostic systems
Sanjay Goel, School of Business/Center for Information Forensics and Assurance
University at Albany Proprietary Information
5
Unintentional Threats
User Error
•
Definition:
–
•
Typical Behaviors
–
•
Enforcement of training policies and separation of
programmer/operator duties
Detection
–
•
Poor user documentation or training
Prevention:
–
•
Incorrect data entered into system or incorrect behavior of system
Vulnerabilities
–
•
Inadvertent alteration, manipulation or destruction of programs, data
files or hardware
Audit trails of system transactions
Countermeasures
–
–
Backup copies of software and data
On-site replication of hardware
Sanjay Goel, School of Business/Center for Information Forensics and Assurance
University at Albany Proprietary Information
6
Unintentional Threats
Failure of Communications Services
•
•
Definition: Disallowing of
communication between various sites,
messages to external parties, access to
information, applications and data
stored on network storage devices.
•
–
•
Typical Behaviors
– Loss of communications service can
lead to loss of availability of information.
– Caused by accidental damage to network,
hardware or software failure,
environmental damage, or loss of
essential services
•
Prevention:
Maintain communications
equipment
Countermeasures
–
–
–
–
Use an Uninterrupted Power Supply
(UPS)
Perform continuous back-ups.
Plan and implement
communications cabling well
Enforce network management
Vulnerabilities
– Lack of redundancy and back-ups
– Inadequate network management
– Lack of planning and implementation of
communications cabling
– Inadequate incident handling
Sanjay Goel, School of Business/Center for Information Forensics and Assurance
University at Albany Proprietary Information
7
Unintentional Threats
Misrouting/Re-routing of messages
•
Definition:
–
•
Typical Behaviors:
–
•
Inadequate user training
Non-encrypted sensitive data
Lack of message receipt proof
Prevention:
–
•
Can lead to loss of confidentiality of messages are not protected
and loss of availability to the intended recipient.
Vulnerabilities:
–
–
–
•
Accidental directing or re-routing of messages
Train users in policies
Countermeasures:
–
–
Encrypt sensitive data
User receipts
Sanjay Goel, School of Business/Center for Information Forensics and Assurance
University at Albany Proprietary Information
8
Unintentional Threats
Failure in Outsourced Operations
•
Definition: Outsourcing of operations must include security requirements
and responsibilities
•
Typical Behaviors
–
•
Vulnerabilities
–
–
–
•
Unclear obligations in outsourcing agreements
Non business continuity plans or procedures for information and information
asset recovery.
Back up files and systems not available.
Prevention:
–
•
Failure of outsourced operations can result in loss of availability,
confidentiality and integrity of information
Create clear outsourcing agreements
Countermeasures
–
–
Implement an effective business continuity plan
Back up files and system
Sanjay Goel, School of Business/Center for Information Forensics and Assurance
University at Albany Proprietary Information
9
Unintentional Threats
Loss or Absence of Key Personnel
•
Definition:
–
•
Typical Behaviors:
–
•
•
Absence or loss of personnel can lead to loss of availability, confidentiality,
integrity, and reliability.
Vulnerabilities:
–
No backup of key personnel
–
Undocumented procedures
–
Lack of succession planning
Prevention
–
•
Critical personnel are integral to the provision of company services
Maintain redundancy of personnel skills
Countermeasures
–
Document procedures
–
Plan for succession
Sanjay Goel, School of Business/Center for Information Forensics and Assurance
University at Albany Proprietary Information
10
Unintentional Threats
Natural Disasters
•
Definition: Environmental condition which causes catastrophic
damage. E.g. earthquakes, fire, flood, storms, tidal waves.
•
Typical Behaviors
–
–
–
•
Physical Damage
Loss of data, documentation, and equipment
Loss of availability of information (leads to loss of trust, financial loss,
legal liability)
Vulnerabilities
–
–
–
–
Storing data and processing facilities in known
location where natural disasters tend to occur
No fire/smoke detectors
No business continuity plans
Back-up files and systems are unavailable
Sanjay Goel, School of Business/Center for Information Forensics and Assurance
University at Albany Proprietary Information
11
Unintentional Threats
Natural Disasters, cont’d.
•
Prevention:
–
•
Detection
–
–
•
Location is not known to be a place of natural disasters
Weather Advisories
Fire/Smoke Alarms
Countermeasures
– Backup copies of software and data
– Storage of data is located in another location
– Have a business continuity plan in place
Sanjay Goel, School of Business/Center for Information Forensics and Assurance
University at Albany Proprietary Information
12
Unintentional Threats
Natural Disasters: Humidity
•
Both excess and insufficient Humidity in the
computer room can threaten system reliability.
–
Too much moisture in the air can accelerate oxidation of
electronic circuits, conductors and connectors
–
Moisture can also provide high-resistance current paths
that make circuits perform unpredictably.
Lack of moisture increases the potential
for equipment damage due to static electricity.
–
Sanjay Goel, School of Business/Center for Information Forensics and Assurance
University at Albany Proprietary Information
13
Unintentional Threats
Natural Disasters: Water Damage
•
Water damage can be caused by common events such as
rupturing of water pipes, leakage at pipe joints, or rain leaks
from the roof
•
Water damage can also be caused due to excess vapor
condensation within air-conditioning equipment.
•
Computer rooms protected by sprinkler systems are also
susceptible to this additional water hazard.
•
Even in raised floor computer rooms cable couplings that link
computing devices can suffer from water damage
Sanjay Goel, School of Business/Center for Information Forensics and Assurance
University at Albany Proprietary Information
14
Unintentional Threats
Natural Disasters: Heat
•
Incidents of over-temperature are, by far, the most commonly
reported cause of computer down-time.
–
Caused by poor room planning (inadequate air conditioning)
–
Catastrophic failure of air conditioning
–
Failure of fans within computing devices
–
Blockage of air ducts providing cooling air to the room
–
The conditions are not apparent to in-room personnel, and often
remain undetected until damage occurs.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance
University at Albany Proprietary Information
15
Unintentional Threats
Natural Disasters: Smoke & Fire
•
Smoke and Fire present obvious hazards to the Computer
installation.
•
Smoke particles deposited on disk and tape surfaces can render
the recorded data unrecoverable.
•
Excessive heat can also damage recording media, and cause
immediate failure of computer electronics.
•
The interruption of operations during a disk or tape write cycle
can destroy the contents of open files.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance
University at Albany Proprietary Information
16
Unintentional Threats
Natural Disasters: Humidity
•
•
Poor quality of power with large fluctuations in voltage as well
as noise due to electrical noise from other devices
–
Power fluctuations can cause stress on electronic components and
degrade them
–
Power fluctuations can also cause temporary shutdown of equipment
Power noise and fluctuations can be reduced by using
electronic devices
Sanjay Goel, School of Business/Center for Information Forensics and Assurance
University at Albany Proprietary Information
17
Unintentional Threats
Environmental Conditions
•
Definition: Negative effects of environmental conditions. E.g.
contamination, electronic interference, temperature and
humidity extremes, power failure, power fluctuations
•
Typical Behaviors
–
Chemical corrosion
–
Introduction of glitches or errors in data
–
Equipment failure
–
Availability of information can be compromised
–
Adverse Health Effects
Sanjay Goel, School of Business/Center for Information Forensics and Assurance
University at Albany Proprietary Information
18
Unintentional Threats
Environmental Conditions, cont’d.
•
Vulnerabilities
–
–
–
–
–
•
Prevention
–
•
Storing data and processing facilities in known location where natural
disasters tend to occur
No fire/smoke detectors
No Uninterruptible Power Supply (UPS)
No business continuity plans
Back-up files and systems are unavailable
Location is not susceptible to environmental conditions
Countermeasures
–
–
–
–
–
Backup copies of software and data
Storage of data is located in another location
Have a business continuity plan in place
Maintain business equipment and facilities
UPS equipment
Sanjay Goel, School of Business/Center for Information Forensics and Assurance
University at Albany Proprietary Information
19
Unintentional Threats
Summary
•
•
•
Unintentional threats can still have an impact on information
systems security.
Threats such as user error can occur more frequently and
should not be overlooked when doing risk analysis.
Examples of unintentional threats include natural disasters,
environmental conditions, employees who make mistakes in
writing code or installing software or simply unexpected
failure of software or equipment.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance
University at Albany Proprietary Information
20
Download