IT Security: Threats and
vulnerabilities
The risks associated with
information security can be classified into two categories, threats and vulnerabilities.
Threats refer to the actions of people and nature that endanger an
organization’s information assets and infrastructure. Vulnerabilities are the
weaknesses in the assets and infrastructure that are at risk of unintended and
unwanted events. Rather than being unrelated,
threats and vulnerabilities are two sides of the same coin, threats are the
potential actions that will follow the path of least resistance to the greatest
vulnerabilities.
THREATS
A security threat is the wilful
intention on someone’s part to inflict injury or damage to an individual’s or
organization’s networks, computers, software or data. Threats come from people
in the organization itself: employees, contractors and visitors. People outside
the organization also threaten it. The types of injury or damage that could
occur are practically limitless. A few examples include:
Ø Sabotage
of computer hardware or software
Ø Theft
and subsequent disclosure of proprietary or personally sensitive information
Ø Attacks
on information infrastructure to render it unavailable for legitimate uses
Ø Development
and release of a virus or worm intended to cause widespread damage.
VULNERABILITIES
Vulnerability is any weakness
in computer or network hardware or software that makes it open to attack or
damage. Vulnerability can be the result of an imperfection in design,
implementation or configuration. While vulnerability is generally thought of as
an oversight, the existence of vulnerability can be the result of a deliberate
act. Some examples of vulnerabilities include:
Ø A flaw
in a software program that permits an intruder to cause the program to malfunction,
generally with the intention of breaking into the system running the program
Ø An
operating system misconfigurations that permits an ordinary user to switch to
privileged mode, which gives the user full administrative control over the system
Ø A flaw
in a business process that permits an employee to log in using a new employee’s
account by entering a well-known default/initial password
Ø A
recently installed system with default administrative passwords, permitting anyone
with knowledge of the password to gain full access to the system
Ø Servers
in the enterprise that individuals set up on their own that lack anti-virus protection
and security patches.