side effects of furosemide 80 mg uso veterinario de levofloxacina micardis costco obat generic clopidogrel side effects wowhomes.biz dosage cialis one day sale of finasteride 1mg in nigeria micardis precio colombia marashthermal.com lisinopril dizzy side effect forum propecia online discount chen-liu.com headaches weaning gabapentin too many diet pills audiomaximus.com ivermectin dosage to treat scabies vitamines for zyprexa withdrawl tamoxifen and propranolol topiramate para que serve zyvox cost assistance generic lipitor 10 mg what do the pills look like cialis overnight pharmacy mercury drug ciprofloxacin ear drops philippines para que sirve ciprofloxacin hcl 500 mg bio metronidazole pills buy amoxicillin 500mg ketoconazole 200 mg nexguard for dogs prices cat costa voltaren gel tetracycline ointment uk kamagra 100 user review redcaymanmedia.com azithromycin 500 mg kapsul amoxil tablet is meaning in urdu generic bupropion xl seadoo-maldives.com stlsoccer.net side effects advil cipro tia topamax rizatriptan vs frova propecia shed timeline stlsoccer.net feifan8.net buy clomipramine no prescription hair loss clozapine amoxicillin and glucophage MASTERRAFTING.COM how much do nitroglycerin pills cost lexapro 10mg to 5mg clopidogrel side effects long term use spacecityparent.com americanfamilyenergy.com mirtazapine cost cvs viagra online for free neurontin 400 mg street value bad valtrex in mexico price delivery of viagra in delhi buy desogen generic viagra approved in canada lexapro generic online kamagra gel thailand aml.ca montelukast tablets and crohns solubility and logp of metoprolol succinate purchase priligy online efficacy of montelukast sodium polymorphs spironolactone causes hair loss avmdtogo.org femara 10mg success lamisil once 1 cutaneous solution prnc.tv benicar 100mg accutane side effects nz sildenafil citrate cost in india imipramine 25 mg dosage vyvanse valtrex interaction fifem.com ofloxacin vs ciprodex ear drops ciclopirox shampoo vs nizoral inderal tablete robertjszmidt.pl mutien.be ciprolex tz in pregnancy can nexium in high dose cause arthritis terbinafine tablets sale viagra 50 gm possible side effects of synthroid medication ciprodex otic does thyroxine affect prednisone what is doxycycline 100mg used to treat sirdalud and cymbalta valtrex 1 gm tablet cost in india cialis online in uk bmmpm.com cipla azithromycin in cold ahmeterhan.com celecoxib buy cheap kegunaan metronidazole tablet 500mg balitoursclub.com whats in gabapentin that makes you feel drunk viagra from india safe cheap generic viagra online uk paroxetine sandoz 20 mg side effects csipropertyservices.com i take for headaches nortriptyline hcl 10mg can you get high off of trazodone if snorted cattlespring.org low in thyroxine when taking lipitor nexium for sale online wellbutrin sr 300 mg side effects chen-liu.com azithromycin tablets 250g fehmierduran.com cipro 6 pills chances of winning lawsuit aganist bactrim doses of septran injection for uti theitrecruiters.com finasteride 5mg verses avodart keflex dosage days lexapro mg dose strattera for recreational use kegunaan clonidine 0.15 mg paxil and effexor ratings do prednisone side effects in dogs go away isi baclofen tablet apotik yang jual obat cytotec di surabaya sekerpinarosgb.com getting high off of propranolol and promethazine report NEOHAIRINDO.COM can i take a percocet and a 500 mg amoxicillin montelukast sodium msd with contrasteroid disabledinafghanistan.com genfar vs amoxil robertjszmidt.pl dosage of ofloxacin in typhoid can nexium tablets be halved warfarin inr 8 himainc.net DORREAJATETXEA.COM cipro eggs ansbach-direkt.de how long before diflucan works for male yeast infection avmdtogo.org taking azithromycin without infection bupropion use in australia hvordan virker neurontin skale.it tadalafil 20mg reviews bukitpinus.com albuterol dose for 8 month old aneyron.com h1music.com proscar kopen uit engeland how lond does side effects from metformin last can amoxil work for boil misoprostol no bleeding experiences aml.ca lbc4help.org ivp lasix administration acyclovir pka mooboos.com viagra tablet for man price in pak teva and montelukast gluten free buy zovirax ointment 5 apparel-chic.com momendol o voltaren differenze can you retain water on acyclovir seenonstage.pl gieltys.com baclofen off label uses seenonstage.pl segtucson.com plavix medicament dapoxetine generic cheap lexapro 20mg pills falling thyroxine free topamax high 300mg buy plavix medication how much is the retail price of amlodipine in peso iphone5sreview.nl amlodipine dissolution problems can you legally buy viagra in the uk haltner.com cialis daily use prices azithromycin dose for syphilis uk alternatives to atomoxetine thepostcardcompany.com dosage calculations keflex oral antibiotics used to treat ringworms naproxen buy uk clopidogrel in nairobi chatcopii.com bactrim treatment for lyme disease womeninit.net allcoinreviews.org can you take tylenol with valsartan 320 mg amoxicillin extra lethan dose tablete cialis u apotekama u beogradu sydney morning heralcan you buy viagra in romania buy citalopram hydrobromide low cost viagra from canada lingwest.nl cialis and smoking pot gotfi.pl metoprolol 5 mg iv purchase levitra brand kamagra chewable tabs emberdomme.com amoxicillin prescribed dosage ralphtrionfo.com clomid side effects in women acyclovir unlabeled uses dose of amoxicillin for teen with chest congestion 8nxw.com womazing.com andysternberg.com manfaat ketoconazole cream 2 depo provera status of plavix lawsuit sampiyonhaliyikama.com medyczka.pl generic tadalafil brands bisenconsulting.com paroxetine helps bad breath myexactamundo.com pi.petnica.rs topamax 100 mg twice a day proventil hfa aer 90 mcg horseblog.com bemylight.org problems with gaining weight on zoloft aneyron.com kamagra goedkoop online shakeology and levothyroxine para sirve benazepril 40 shapirogalvinlaw.com chatcufete.com keflex severe side effects marashthermal.com focva.org theitrecruiters.com heavyanalytics.com insurancetravelguide.com weight gain or loss on zoloft and wellbuturin buy lexapro internet 333 antibiotics used for perioral dermatitis zovirax online order disabledinafghanistan.com periactin au naproxen 500 mg for menstrual cramps is kamagra safe to take with lisinopril viagra pro online buying clomid online safe in south africa celebrex 767 generic lexapro positive reviews can 100mg of topamax help.seizures amlodipine 7.5 mg ape itu t.ciprofloxacin 500mg can tamoxifen cause tummy cramps lamisil cream in the philippines prednisone not working for colitis drugprevent.org.uk does crushing azithromycin diminish its effectiveness viagra cheap uk what to do if sildenafil citrate 100mg is ineffective how long does it take iv cardizem to work doxycycline 20 mg tabs generic line viagra should i take septra ds for gonorrhea lq.gradgroup.com mutien.be 6th one week on zoloft where to get viagra newhollandcommunications.de is ok if i take cipralex and cymbalta together clomid, hcg shot feel like having periods MDMworkingDogs.com lexapro generic name escitalopram oxalate NEOHAIRINDO.COM amitriptyline and similar meds for pain buspirone hyponatremia flagyl 2gm online vitaroom.net allopurinol uses and side effects aml.ca cdfeorellana.com amlodipine besylate 10 mg side effects cerisdieventi.com naproxen 440 mg accutane side effects remedies what effect does doxycycline have on genital warts chicas que vendan cytotec riobanba cialis discount pharmacy cabergoline 0.5 mg gelernt.net cialis dosage not working thyroxine dosage for adults tab.metformin side effects in mims marashthermal.com bemylight.org myexactamundo.com will a double dose of thyroxine hurt a dog chatcopii.com montelukast drug study scribd africanamericanimages.us cost of prescription singulair buy metoprolol online will gabapentin 800 mg get you high tamsulosin tablets preis torsemide to lasix conversion metronidazole 750 mg tid fungsi nizoral ketoconazole buy cheap amoxicillin online theitrecruiters.com what is diltiazem 24hr er 120 mg cap 60 mg of zyprexa graffiti-taxonomy.com stanhay singulair 780 singulair for kids price ivermectin for guinea pigs dosage fexofenadine price comparison amoxicillin interactions with antibiotic valacyclovir hcl 1mg yalovadaarsa.com do they have periactin pills to make you lose weight doxycycline 100mg price walmart order powder oral suspension zithromax can you drink on strep throat antibiotics citalopram and itching paladardigital.com what side effects does lasix have terbinafine tablets uses amoxicillin 1000 mg uses buy propranolol india feifan8.net doxycycline hyclate treat h.pylori arr.czestochowa.pl esoxhunter.com batterymedix.com what is the difference between paroxetine er and hcl fifinasteride 8 meses via cipro 65 redcaymanmedia.com duloxetine 60 mg cap zyvox 600 mg 300 ml amlodipine cost cvs levofloxacin hemihydrate usp 34 carlosfloresmusic.com yalovadaarsa.com erythromycin estate in pregnancy aster-m.com stlsoccer.net paneleogrodzeniowe.com cialis pattaya what is a phenergan score how to buy viagra with pay pall biotech ciprofloxacin for kidney treatment secretlives.me kinoiekyoriki.com how long does doxycycline stay in your system banners-and-skyscrapers.com bemylight.org azithromycin side effects pdf strattera 40 mg blue capsule aldactone price in india etaflox ciprofloacin going price for viagra does ondansetron make your pee orange propranolol patient uk buspirone 7.5mg will get you high aap ki adalat serial cast side effects of lasix 40 mg taken 4 250mg amoxicillin in 24 hours by accident celebrex200 for large dogs chatcufete.com how much amoxillan does a 6yr ols get can you take acid reflux med with levrothyroxine fehmierduran.com diflucan este antibiotic 40 gm of prednisone for laryngitis gamma gt tamoxifen getting pregnant on propecia can i use albuterol sulfate for my 8 weeks old baby topamax causing serious neck pain taper off premarin vaginal cream anaheimangelsjersey.com can zoloft cause chronic dizziness can u eat carrots with coumadin anaheimangelsjersey.com diflucan online no prescription augmentin 500mg and alcohol getting adjusted to wellbutrin drugprevent.org.uk buy finasteride online paypal can seroquel xr cause a negative pregnancy test cytotec for 6 months pregnant cialas viagra next day delivery does costco sell atorvastatin 10mg sswebdesigning.com misoprostol in arequipa buy when thyroxine sodium 50 taken insurancetravelguide.com plavix 75mg info thepostcardcompany.com what effects does mucinex d and paxil cr have hyclate doxycycline for dogs safe aml.ca zithromax 250mg cures gonorrhea cardura tablets prices inpakistan force 1 100 sildenafil citrate softgelatin capsules crushing cialis cost of lexapro 20 mg eastriverpartners.info cat taking metronidazole how long does it take to work best clomid dosage pct dataminingweb.com clomid cost in india lotrimin vs lamisil for ringworm esomeprazole magnesium 40 mg price lvshi321.com prednisone 10 mg dosage schedule for rotator cuff levofloxacina pentru helicobacter famciclovir precio en espana revatio patent expiration uk taking tamoxifen without steroids azithromycin dosage for 14 years old africanamericanimages.us how much is fluconazole dose kenya spotting taking prometrium 12 days in menopause buspar onset topiramate para que serve dosage erythromycine pour adult dosage of amoxicillin for infant ear infection singulair 10 mg side effects atenolol 50 mg no prescription aml.ca heartsdirect.co.uk street value of clozapine bemylight.org guojiyingxiao.com manfaat tablet hydrochlorothiazide 20 mg spacecityparent.com accommodationmadeasy.com how much does cipro otic cost dystonia treated with topiramate can one take levitra 20gm after drinking beer sosclassroom.org augmentin for yeast infection during pregnancy xn--b1afpdqbb8d.xn--p1ai lvshi321.com feifan8.net misoprostol pri buy zovirax online from uk apparel-chic.com tedandamysupperclub.com elavil and warfarin cialis 80 mg australia can i take acyclovir while i am doing ivf shapirogalvinlaw.com can metronidazole make you pregnent cobre2013.cl 30 mg prednisone and doxycycline cheap cialis next day shipping buy sildenafil citrate 50mg uk can buspar cause ringing in ears cheap dostinex online 6 day prednisone pack side effects can erythromycin cause gastritis glimepiride 7256 doze for ciprodenk 500mg accutane had no side effects what happens if i take trazodone without food tamsulosin hcl spinal cord most common side effects of amoxicillin cost propecia medication side effects of long term prednisone use proventil 5mg propranolol hppd how mich os valtrex in rands does codeine interact with keppra and cymbalta can i purchase azithromycin over the counter celecoxib 200 mg wikipedia buscomi.com bactrim ds efficacy for mrsa in pierced ear chatcufete.com misoprostol in davao city em2nt.net fifem.com side effects of carvedilol 3 1.25mg pi.petnica.rs does doxycycline give you gas clomid shqip olanzapine 5mg reviews iv flagyl and zosyn compatible clopidogrel 75 mg.com.vn cipro xr 500 side effects cytotec venta usa si solo tomo una dosis de misoprostol funciona avapro australia hydrochlorothiazide 200 mg glenns.org

previous  next  Title  Contents  Index        Previous     Next      Top   Detailed TOC    Last Update: 12 oct. 2001


2 Introduction: Why Security? How?


2.0 What is security?

Continuity of operations and correct functioning of information systems is important to most businesses. Threats to computerised information and process are threats to business quality and effectiveness. The objective of IT security is to put measures in place which eliminate or reduce significant threats to an acceptable level.

Security and risk management are tightly coupled with quality management. Security measures should be implemented based on risk analysis and in harmony with Quality structures, processes and checklists.

What needs to be protected, against whom and how?

Security is the protection of information, systems and services against disasters, mistakes and manipulation so that the likelihood and impact of security incidents is minimised. IT security is comprised of:

Confidentiality: Sensitive business objects (information & processes) are disclosed only to authorised persons. ==> Controls are required to restrict access to objects.

Integrity: The business need to control modification to objects (information and processes). ==> Controls are required to ensure objects are accurate and complete.

Availability: The need to have business objects (information and services) available when needed. ==> Controls are required to ensure reliability of services.

Legal Compliance: Information/data that is collected, processed, used, passed on or destroyed must be handled in line with current legislation of the relevant countries.

A threat is a danger which could affect the security (confidentiality, integrity, availability) of assets, leading to a potential loss or damage. 

2.1 Why is IT security necessary?

Most companies use electronic information extensively to support their daily business processes. Data is stored on customers, products, contracts, financial results, accounting etc. If this electronic information were to become available to competitors or to become corrupted, false or disappear, what would happen? What would the consequences be? Could the business still function?

"The network is the computer" is a phrase coined by Sun Microsystems in the mid eighties, which is even truer now than then. Applications have moved from single systems (e.g. mainframes) to a multiple of co-operating modules across different systems. A typical example would be a client server application that consists of a PC client which passes via a UNIX gateway to access data on a mainframe. For such an application to be secure, the PC, UNIX, Mainframe and network need to be secured. Security in a client server environment is complicated by the use of completely different authentication mechanisms on each machine. A client-server application is classified at a security level based on the security of the weakest link in the chain of component elements. What is the point is a very secure mainframe if for example, passwords are kept in readable form on PCs or on a piece of paper stuck on the PC screen?

The following figures are included (source: Datapro Research) as example, to give an idea what is going on in the real world.

IT security requirements [itsec] are often specified in terms of:

Assurance: Confidence that a System behaves as expected (i.e. according to it's specification).
Identification / Authentication: When users or programs communicate with each other, the two parties must identify each other, such that they know who they are communicating with.
Accountability/Audit Trail: The ability to know who did what, when, where. Users are responsible and accountable for their actions. Automatic audit trail monitoring and analysis to detect security breaches.
Access Control: Access to specified resources can be restricted to certain entities.
Object Reuse: Objects used by one process may not be reused or manipulated by another process such that security may be violated.
Accuracy: Objects (information and processes) are accurate and complete.
Secure data exchange:

Digests, public key encryption, digital signatures and challenge-response are some of the methods used to achieve secure communication.

Reliability of service: Data and vital services are available when needed.

A system may not contain confidential data, but it must be available 24 hrs a day - so it has low data sensitivity, but high availability requirements. High availability systems always require better confidentiality to prevent "denial of service" attacks. For some systems, confidentiality (i.e. privacy or non disclosure of information) is more important that integrity (unauthorised modification of information), for others the reverse is true. Systems with different requirements need to be secured in different ways.

A balance should be found between too much security (very restrictive use, high cost) and too little security (unrestricted use, danger, low "visible" cost).

The value of information and processes should be known, the risks in the current environment analysed, so that an appropriate set of countermeasures can be implemented. A cornerstone of countermeasures is risk analysis and the security policy. 

2.2 Why is a security policy needed?

A security policy is a preventative mechanism for protecting important company data and processes. It communicates a coherent security standard to users, management and technical staff.

2.3 Are your systems secure now?

The British standards institute [bsi1] publish a list of ten key controls for checking if basic security is implemented. They are:

  1. Information Security Policy Document
  2. Allocation of security responsibilities
  3. Information security education and training
  4. Reporting of security incidents
  5. Virus controls
  6. Business continuity planning process
  7. Control of proprietary copying.
  8. Safeguarding of Company records.
  9. Compliance with data protection legislation
  10. Compliance with security policy.

How many of the above points exist in your current environment? 

2.4 How to go about improving security

How to improve security:

=> Knowing what data & processes need to be protected.
=> Recognising the threats, judging possible impacts.
=> Calculating the risks and deciding what risks are acceptable.
=> Counter measures: Developing a strategy to reduce the risk to an acceptable level, then implement, test and tune the strategy.

There are two basic approaches to improving security, Bottom Up and Top Down. 

2.4.1 Bottom Up Approach to improving Security

This approach is faster, but not very precise.

If you know what you want to protect, from whom and to what degree:

2.4.2 Top Down Approach to improving Security

2.4.2.1 Overview

This approach is methodical, more precise, but can be slow and have high initial costs. Where security needs to be "urgently" improved, it is suggested to use both methods in parallel i.e. use the bottom up approach for important "well known" systems and the top down approach to have a long term, precise policy, strategy and vision on security that is supported and understood by management.
The top down approach involves:

  1. Asset Analysis: What needs to be protected? List information and processes (What are the important assets? Are they stored on computer? What are the financial implications of loss of these assets?). The measures taken to protect assets should correspond to the value of assets.
  2. Analyse current security rules/policies/practices (if any).
  3. Define basic Security Objectives: e.g. fix basic Availability, Confidentiality and Integrity objectives.
  4. Threat Analysis: Before deciding how to protect a system, it is necessary to know what the system is to be protected against i.e. what threats are to be countered. è Identify Threats (employee vengeance, hackers, espionage, technical failures etc.). A list of sample threats is presented later. Threats tend to be general in nature.
  5. Impact Analysis:

6) Calculate Risk:

7) Constraints Analysis: Examine requirements outside of your control (national and international laws, corporate requirements, corporate culture, contractual requirements, budget).

8) Decide on a counter strategy:

9) Implementation:

10) Assurance: Re-evaluate risks and security strategy regularly (e.g. every 2 years). 

2.4.2.1.1 Formal Risk Analysis Methods (e.g. MARION)

The method described above is an ad-hoc, "obvious" method, not a formally approved methodology.  There are many formal methods. One called Marion is described below. The European Security Forum also have an interesting one, but I've not examined it yet.

A formal method known as MARION[1] for IT risk-analysis is a good starting point for a top-down risk analysis and implementation of security in an enterprise. This method was developed in France in 1984 and is designed to be practical, directly involving top management in an intensive analysis of the enterprise. By 1992, it had been used in over 800 projects, especially in France.

This public domain method is updated yearly together with statistics by the French computer security club CLUSIF (Club de la Sécurité Informatique Francais) and the insurance organisation APSAD (L'Assemblé Plénière de Sociétés d'Assurance Domage) in France.

The reader is referred to companies such as Coopers & Lybrand who carry out MARION risk analyses. See Appendix C for contact information. 

2.4.2.2 Threats + impact + likelihood = risk

Before deciding how to protect a system, it is necessary to know what the system is to be protected against i.e. what threats are to be countered. In the following sections different types of threats are presented.

Threats are divided up into the following categories: General, Identification / Authentication, Availability, Privacy, Integrity / Accuracy, Access Control, Repudiation, Legal.

In this section a table is presented containing: The threat (including description), the impact of the threat (a reference to the impact table), plus a number (0-5) and the likelihood of the threat occurring (number 0-5).

General Threats:
 

Threat  Impact
(ref.) 
Impact
(0-5) 
Likeli-hood
(0-5) 
  1. Human error: 
     
  • Accidental destruction, modification, disclosure, or incorrect classification of information. 
  • Ignorance: Inadequate security awareness, lack of security guidelines, lack of proper documentation, lack of knowledge (e.g. system administrators). 
     
  • Workload: too many or too few system administrators. Highly pressurised users. 
     
  • Users may inadvertently give information on security weaknesses to attackers. 
     
  • Incorrect system configuration.
     
  • The security policy is not adequate. 
     
  • The security policy is not enforced. 
     
  • The security analysis may have omitted something important, or be simply wrong! 
     
2. Dishonesty: Fraud, theft, embezzlement, selling of confidential corporate information.       
3. Attacks by Social engineering: 
  • Attackers may use the telephone to impersonate employees to persuade users / administrators to give username/passwords/ modem numbers etc. 
  • Attackers may persuade users to execute trojan horse programs. 
     
4. Abuse of privileges / trust.       
5. Unauthorised use of "open" terminals/PCs.       
6. Mixing of test and production data or environments.       
7. Introduction of unauthorised software or hardware.       
8. Time bombs: software programmed to damage a system on a certain date.       
9. Operating System Design errors: Certain systems were not designed to be highly secure (e.g. PCs, many UNIX versions).       
10. Protocol Design errors: Certain protocols were not designed to be highly secure. Protocol weaknesses in TCP/IP can result in:

     

  • Source routing, DNS spoofing, TCP sequence guessing è unauthorised access is achievable. 
  • hijacked sessions and Authentication session / transaction replay are possible è Data is changed or copied during transmission. 
  • Denial of service, due to ICMP bombing, TCP_SYN flooding, large PING packets, etc. 
     
11. Logic bomb: software programmed to damage a system under certain conditions.       
12. Viruses (in programs, documents and email attachments)       

Identification/authorisation threats:
 

Threat  Impact
(ref.) 
Impact
(0-5) 
Likeli-hood
(0-5) 
1. attack programs masquerading as normal programs (Trojan Horses).       
2. attack hardware masquerading as normal commercial hardware.       
3. external attackers masquerading as valid users or customers.       
4. internal attackers masquerading as valid users or customers.       
5. attackers masquerading as helpdesk/support personnel.      

Reliability of service threats:
 

Threat  Impact
(ref.) 
Impact
(0-5) 
Likeli-hood
(0-5) 
1. Major Natural disasters: Fire, smoke, water, earthquake, storms/hurricanes/tornadoes, power cuts etc. to systems. Im7    
2. Minor natural disasters (or short duration or causing little damage) . Im8    
3. Major Man-made disasters: War, Bombs, civil disturbance, dangerous chemicals, nuclear accidents, etc.  Im7    
4. Equipment failure due to defective hardware, cabling, or communications system.  Im8    
5. Equipment failure due to airborne dust (no or malfunctioning air-conditioning), or electromagnetic interference, or static electricity.  Im8    
6. Denial of service       
  • Network abuse: misuse of routing protocols to confuse and mislead systems.
     
  • Server overloading (processes, swap space, memory, "tmp" directories and overloading services)
     
  • Email bombing (message flooding). 
  • Downloading or receipt (via email) of malicious Applets, ActiveX controls, macros, postscript files etc.
     
7. Sabotage: Malicious (deliberate) damage of information or information processing functions.       
  • Physical destruction of network interface devices, cables
     
  • Physical destruction of computing devices or media. 
     
  • Destruction of electronic devices and media by Electromagnetic radiation weapons.
     
  • theft 
     
  • Deliberate electrical overloads or shutting off electrical power. 
     
  • Virus and/or worms 
     
  • Deletion of critical system files. 
     

Privacy threats:
 

Threat  Impact
(ref.) 
Impact
(0-5) 
Likeli-hood
(0-5) 
1. Eavesdropping       
  • Electromagnetic eavesdropping / Van Eck Radiation: Computers, keyboards, monitors, printers emit radiation which can be detected up to several hundred meters away and reconstructed. 
     
  • Telephone, fax eavesdropping (via "clip-on", telephone bugs, inductive sensors or hacking the public telephone exchanges). 
     
  • Network eavesdropping: unauthorised monitoring of sensitive data crossing the Internal network, unknown to the data owner (via "clip-on", inductive sensors, network sniffers, or hacking the public telephone exchanges). 
     
  • Network eavesdropping: unauthorised monitoring of sensitive data crossing the Internet, unknown to the data owner (via "clip-on", inductive sensors, network sniffers, or hacking the public telephone exchanges).
     
  • Subversion of DNS to redirect Email or other traffic 
     
  • Subversion of routing protocols to redirect Email or other traffic. 
     
  • Reading information cached in client applications 
     
  • Radio signal eavesdropping: Analogue mobile phones & cordless home phones are very easy to eavesdrop.
     
  • Rubbish eavesdropping: An attacker who analyses waste can often find interesting things. Are all confidential documents shredded? 
     

Integrity/Accuracy threats:
 

Threat  Impact
(ref.) 
Impact
(0-5) 
Likeli-hood
(0-5) 
1. Malicious (deliberate) damage of information or information processing functions from external sources.       
2. Malicious (deliberate) damage of information or information processing functions from internal sources.      
3. Modification of information (deliberate).      

Access Control threats:
 

Threat  Impact
(ref.) 
Impact
(0-5) 
Likeli-hood
(0-5) 
1. Password cracking: Access to password files, use of bad passwords (blank, default, easy-to-guess or rarely-changed passwords).       
2. External access to password files, and sniffing of the network       
3. attack programs allowing internal access to systems (backdoors).       
4. attack programs allowing external access to systems (backdoors visible to external networks).       
5. Unsecured maintenance modes, developer backdoors.       
6. Modems are easily connected, allowing uncontrollable extension of the internal network.       
7. Bugs in network software can open unknown/unexpected security holes. These holes can be exploited from external networks to gain access to the internal network. As software becomes increasingly complex, this threat grows. 

8. Unauthorised physical access to System 

     

Repudiation threats:
 

Threat Impact
(ref.) 
Impact
(0-5) 
Likeli-hood
(0-5) 
1. Receivers of confidential information may refuse to acknowledge receipt.       
2. Senders of confidential information may refuse to acknowledge the source.       

Legal threats:
 

Threat  Impact
(ref.) 
Impact
(0-5) 
Likeli-hood
(0-5) 
1. Failure to comply with regulatory or legal requirements (e.g. failure to protect confidentiality of employee data).       
2. Many countries' law forbids (also over the Internet) incitement to racism, gambling, money laundering or the use of, or distribution of, pornographic or violent material. You may be liable if internal users or attackers abuse the your systems to these ends.       
3. Internal users attacking other sites: is the company liable to damages if an employee attacks another company?       

2.4.2.3 Sources of threats

Threat source
1. Political espionage. 
2. Commercial espionage. Since the end of the cold war, the entire intelligence community has undergone a significant shift from classical east-against-west spying to each-country-must-protect-its-economy. Former KGB and CIA employees are now working as freelance commercial intelligence services. Sources of such espionage are competitors (domestic and international). 
3. Employees:
  • Disgruntled employees and (former) employees. 
  • Bribed employees. 
  • Dishonest employees (possible at all levels: from top management down). 
  • System & security administrators are "high-risk" users because of the confidence required in them. Choose with care. 
4. Hackers:
  • Beginners: know very little, use old, known attack methods 
  • Braggers: Are learning a lot, especially from other hackers. They seek gratification by bragging about their achievements 
  • Experts: High knowledgeable, self reliant, inventive, try to be invisible. They may provide tools/information to the braggers to launch attacks, which hide their own, more subtle attacks. 
5. Contractors / vendors who have access (physical or network) to the systems. 
6. Organised crime (with goals such as blackmail, extortion etc.). 
7. Private investigators, "mercenaries", "free lancers". 
8. Law enforcement & government agencies (local, national and international), who may or may not be correctly following legal procedures. 
9. Journalists looking for a good story. 

2.4.2.4 Impact

Impacts are very business specific, depending on the assets, the type of business, the current countermeasures (IT infrastructure). Impacts describe the effect of a threat. The impact may also depend on the length of time that business functions are disrupted.
The following is a list of some basic impacts, that company may be subjected to. It needs to be completed in detail by managers who understand the business in detail.

Ref. Possible Impacts 
Im1 Disclosure of company secrets, disclosure of customer data, disclosure of accounting data. 
Im2 Modification of accounting data or customer data. 
Im3 Attackers impersonating the company or it's customers.
Im4 Bad company publicity: hacker security breaches publicised. 
Im5 Bad company publicity: customer information modified/deleted/publicised.
Im6 Bad division publicity: External attackers used a particular division as an entry point to the corporate network. 
Im7 Major disruption of business functions. 
Im8 Major disruption of the network.
Im9 Fraud
Im10 Loss of customer confidence (if the disruption lasts for a longer period of time, or occurs frequently, customers would probably be lost). 
Im11 The company may be legally prosecuted (negligence, breaking the law or regulatory requirements) 
Im12 Reduction of quality of service
Im13 Possible gains for competitors and thus loss of revenue. 
Im14 The corporate network may be used as a base by attackers for attacking other sites.
Im15 The corporate network may distribute software containing attacker software. 
Im16 Electronic fraud

2.4.2.5 Constraints Analysis

Examine requirements outside of your control:

2.4.2.6 Risk summary

Once the threats, impacts and corresponding risks have been listed and the constraints have been analysed, the significant business risks (or weaknesses) will be more evident, allowing a counter strategy to be developed.

It is advisable to summarise the risks to be countered together in one table. Likewise a summary of major strengths would show what has been achieved to date.

An example of the major risks/weaknesses list might be:

2.4.2.7 Counter strategy & counter measures

Develop a strategy, based on the Risk Summary above to:

Countermeasures typically involve: Security Policy, Security organisation (responsibility, roles & processes) and specific mechanisms.

  1. Definition of security policies, to protect information based on the risk (see the "Policies" chapter). Policies reduce risk.
  2. Implementing Policies: Roles, Responsibility and organisation are required (see next chapter). A security organisation can reduce risk and limit damage.
  3. Define requirements on mechanisms: Effective use of mechanisms and processes to enforce security. Choosing appropriate security mechanisms together with secure operating procedures can reduce the risk. Requirements should be listed under the following (ITSEC recommended) headings. ITSEC also recommends that the strength of mechanisms and countermeasures should be rated as basic, medium or high.
  4. Define concrete Secure Operating Guidelines and controls for specific systems (see Part III).
  5. Consider insuring against threats which cannot be covered by the above measures.
  6. Assurance / constant vigilance:

[1] Méthodologie d'Analyse des Risques Informatique et d'Optimation par Niveau


previous  next  Title  Contents  Index         Previous     Next      Top   Detailed TOC