Risks and Threats

Risks and threats are what risk management strives to deal with. Risks are something that have a negative impact on project objectives or a company's ability to perform normal business functions, and can result in loss for the company. Threats are the potential to use a particular vulnerability to cause damage. Each has the ability to adversely effect the confidentiality, availability, or integrity of a project or business, which is why it is so important that they are handled effectively.

The definitions of risks and threats are similar to one another. However, a threat and a risk may not always be exclusive to one another. The difference between the two is that a risk always involves the potential for loss, while a threat is always something that exploits or triggers a weakness to cause damage. If there is no vulnerability that can be exercised, then the source of a threat poses no risk. To illustrate this, say a company has a building near a mountain that is prone to having avalanches. This would mean the source of the threat is the mountain, the threat is an avalanche, and the vulnerability involves being too close to the mountain. If the company's building were far enough away from the mountain, then there would be no risk. While the threat of avalanche still exists, the risk does not.

It is also important to realize that risks are not inevitable or necessarily bad. Something that threatens or provides an element of risk to a project or company also provides the opportunity for change, and the possibility for profit. For example, an old Web server has a greater risk of failing, and may threaten a company's ability to set products on the Internet. By replacing it with a new server, an improvement has been made, and the new Web server will work more efficiently at processing online purchases. While this has a positive aspect, to effectively deal with any risk or threat, a company must first identify the ones that affect them.

Different Types of Risks and Threats

When identifying risks and threats, the security administrator will find that events affecting their organization may be different from those faced by other businesses. For example, an e-commerce site would be at risk of credit card information being acquired by a hacker, while a public information site with no sensitive data would not consider this to be a potential problem. Because risks vary from business-to-business, you cannot identify risks by adopting a list created by another organization. Each business must identify what they may be in danger of confronting.

While not every threat is likely to occur, the sheer number of them can be overwhelming. Threats can come from a wide variety of sources, and present different levels of risk to elements of a company. However, upon taking a closer look, these various threats can generally be divided into three different categories:

• Environmental threats, which include natural and man-made disasters

• Deliberate threats, in which the threat source has intentionally caused an event to happen

• Accidental threats, in which the threat source has unintentionally caused an event to occur

While this seems like an oversimplification, categorizing risks and threats in these groups provides an effective way of seeing where threats can stem from, and how they are related in certain ways. Further analysis may also find that certain threats in the same category can be effectively mitigated using the same methods.

Environmental Risks and Threats

Risks and threats related to an environment result from the situations and conditions that surround the elements of a business. They can be naturally occurring or man-made, and can be of serious concern to organizations affected by them. Significant damage can be caused by such threats, as they may have an impact on all aspects of the company, including equipment, data, structures, and the personnel who work within that environment.

When people think of environmental threats, they generally think of natural disasters. These include storms, floods, fires, earthquakes, tornadoes, or any other naturally occurring event. Due to their possible severity, it is important that plans be created that not only protect material assets, but also provide information on the evacuation of personnel. Since some disasters are more common in different geographical regions (such as blizzards in Canada and tornadoes in the mid-western U.S.), not all disasters are likely to affect every company or certain branch offices of an organization.

Environmental risks can also be man-made. These would include situations that may cause damage in an organization from events caused by human involvement or creation. Man-made environmental risks include such situations as fires breaking out due to faulty wiring, water pipes bursting, or power outages. They also include health hazards, such as previous installations of asbestos in ceilings or other areas of a building. In addition to these risks, an organization may face environmental risks from equipment failures, such as air conditioning breaking down in the server room, a critical system failing, or any number of other problems.

Deliberate Risks and Threats

Risks and threats that are deliberate are the result of human involvement or interference. These types of risks are caused intentionally, and have a purpose or goal associated with them. It may be profit-orientated, emotional (inclusive to curiosity or desire for revenge), or the result of broader social issues. In some cases, the reasons for a deliberate threat being carried out may be as diverse as those committing the acts.

A widely publicized risk for companies connected to the Internet, or who allow users to install their own software, is viruses and other malicious software. There are a number of different risks that result from malicious persons and the programs they use and disseminate. These are programs that are designed to perform a specific and (generally) unwanted action, such as deleting data, corrupting information, causing computers to function unpredictably, or even sending sensitive information to other parties via e-mail. An attack on systems using viruses, worms, Trojan horses, or other malicious programs can result in disruption of services, or the modification, damage, or destruction of data. In some cases, they can devastate an organization as effectively as any natural disaster.

Since the Internet is so widely used by companies, hackers will use its tools to deliberately cause problems for organizations. By acquiring access to a Web site, code may be added to redirect visitors to a different site. Here, Web pages may be used to obtain information from customers (such as usernames, passwords, or other personal/business or financial data). Posing as the actual company's Web site, the site a visitor is redirected to might also have content that defames the business.

Another common threat to businesses from the Internet is SPAM or other issues related to e-mail. SPAM is unsolicited mail that is sent in bulk to large numbers of Internet users. Such e-mail may contain links to other Web sites, which request information from users or contain viruses or other malicious programs. Since e-mail can be created in Hypertext Markup Language (HTML), it can contain the same elements as a Web page, and contain similar malicious content. Another problem is that massive amounts of e-mail can be sent to a company, causing mailboxes to be filled with junk mail, preventing e-mail from being accepted from legitimate customers or person(s).

Social engineering requires people skills more than computer skills. With social engineering, hackers attempt to acquire information from someone for unethical or illegal purposes. Their goal is to obtain a person's username, password, credit card information, or other data that will benefit them.

Using social engineering, hackers may misrepresent themselves as authority figures or someone in a position to help their victim. For example, a hacker may phone a network user and say that there is a problem with the person's account. To remedy the problem, all the caller needs is the person's password. Without this information, the hacker tells the victim, the person may experience problems with their account, or will be unable to access certain information. Since the person will benefit from revealing the information, the victim often tells the hacker the password. By simply asking, the hacker now has the password and the ability to break through security and access data.

Social engineering may also require more subtle methods of acquiring information from a person. In many cases, a hacker will get into a conversation with the user, and slowly get the person to reveal tidbits of information. For example, a hacker could start a conversation about the Web site, ask what the victim likes about it, and determine what the person can access on the site. The hacker might then initiate a conversation and ask the names of the victim's family members and pets. To follow up, the hacker might ask about the person's hobbies. Since many users make the mistake of using names of loved ones or hobbies as passwords, the hacker may now have access. While the questions seem innocuous, when all of the pieces of information are put together, it may give the hacker a great deal of insight into getting into the system.

In other cases, a hacker may not even need to get into the system, because the victim reveals all the information desired. People enjoy others taking an interest in them, and will often answer questions for this reason or out of politeness. Social engineering is not confined to computer hacking. A person may start a conversation with a high-ranking person in a company and get insider information about the stock market, or manipulate a customer service representative at a video store into revealing credit card numbers. If a person has access to the information the hacker needs, then hacking the system is not necessary.

The best way to protect an organization from social engineering is through education. People reveal information to social engineers because they are unaware that they are doing anything wrong. Often, they will not realize they have been victimized, even after the hacker uses the information given to them for illicit purposes. Teaching users how it works, and stressing the importance of keeping information confidential, will make them less likely to fall victim to social engineering.

Unauthorized access is a common issue in information security, where members within or outside of the organization do not have authorization to access data or systems but attempt to do so anyway. Companies with connections to the Internet may install firewalls to prevent people on the Internet from accessing data on the internal network. Hackers will look for vulnerabilities, and attempt accessing the network without authorization by exploiting these vulnerabilities. In other situations, they may attempt access through less intensive measures.

Hacking may be done through expert computer skills, programs that acquire information, or through an understanding of human behavior. This last method is called social engineering. When social engineering is used, hackers misrepresent themselves or trick a person into revealing information. Using this method, a hacker may ask a user for his or her password, or get the user to reveal other sensitive information that should remain private.

While many people consider hacking attempts to be the result of curious or malicious persons outside of the company, this is not always the case. Numerous studies have found that approximately 70 percent of attacks originate from inside a network, by internal personnel. Someone who works for a company has the ability to view a coworker typing in passwords (referred to as shoulder surfing), or may be able to hack other areas of the network without having to contend with firewalls that prevent outside sources from hacking the network. As more individuals within a company become computer savvy, the possibility of employees using their limited access to gain unauthorized access becomes increasingly common.

Another internal risk that many companies experience is theft. Corporate theft costs businesses considerable amounts of money every year. You may think this only relates to the theft of computers and other office equipment, which costs the company large amounts of money in a single incident, but even small thefts add up over time. Imagine a company with thousands of users, and each user steals a box of floppy disk or CD-ROMs for home use. When the small amounts of pilfering are added up, this can cost the company more money than the single theft of a computer.

Software and data are also targets of corporate theft. Employees may steal installation CD-ROMs or make copies of the software to install at home. A single program can cost a thousand dollars or more, while copied CD-ROMs that are illegally installed can result in piracy charges and legal liability. If employees take sensitive data from the company and sell it to a competitor or use it for other purposes, the company could lose millions of dollars or face liability suits or even criminal charges if the stolen data breaches client confidentiality. In cases where data involves corporate financial information, embezzlement could also result. By failing to address the risk of such theft, a company can be at risk of huge loses.

As was seen during the riots that occurred in Los Angeles, social issues can also result in damage to a company. During this incident, racial issues escalated to the point where millions of dollars in damage occurred. While rioting is a rare occurrence, other types of social issues may also result in corporate loss. In some cases, a company may be involved in something that leads to boycotts of a product. Companies may also be located in or near high-crime areas and fall victim to vandalism, theft or any number of events. By keeping aware of issues related to the company, you are in a better situation of dealing with risks related to those issues.

After the events of September 11, 2001, the widespread impact of a terrorist attack became evident. Resources including equipment, data, and personnel were made unavailable or destroyed, incredible amounts of money were lost by individual businesses, and the economic ripples were felt internationally. While some companies experienced varying levels of downtime, some never recovered and were put out of business. The economic effects of this event was even felt in other countries, and changed how many organizations viewed security issues. Although it was an extreme deliberate act, such incidents must be considered when looking at potential risks against a company.

Accidental Risks and Threats

Risks and threats can also be accidental in nature, and are not intended to cause any actual harm. Such incidents generally result from human error. Despite good intentions, a person or program can cause incredible amounts of damage without meaning to.

The previous section mentioned that hackers could obtain unauthorized access to systems through a variety of methods. While those methods were deliberate actions, it is also possible for users of a network to stumble into areas they should not. System administrators can make mistakes, and fail to limit access properly to files, directories, or other resources. In some cases, access may not be restrictive enough, while in other situations it may not exist at all. Regardless of which, this allows anyone to think their access is authorized, and gain entry to areas they should not.

Even if a person does not obtain unauthorized access, it is still possible that they can cause damage with their own access levels. An employee can enter incorrect data, alter or delete existing data, tamper with systems, or any number of other activities that would result in loss. Even employees who are not disgruntled can cause damage through incompetence, such as by repeating errors that result in loss. When developing security systems and creating a risk management plan, it is important to consider the risks posed by those within the company, in addition to those from outside the organization.

Hardware and software can pose their own risks, as they may be required for the business to function. If equipment such as servers, workstations, routers, or other elements of the network fail, employees may be unable to perform their duties. If data is concentrated on a single server, the data itself may be corrupted or lost in some way. Illogical processing of data resulting from software or hardware problems may cause information to be processed inaccurately or damaged in some other way. Failing to backup data on a regular basis may make it impossible to replace any data that is lost from such incidents.

A common issue that companies must deal with is vulnerabilities that exist in software used by the company. Many times, manufacturers will release software on the market either without knowing that vulnerabilities exist in the code, or with plans to release service packs, patches, or bug fixes after people have purchased and installed their product. Service packs, patches, and bug fixes are software that fix known problems and security vulnerabilities. Failing to install these may cause certain features to behave improperly, or leave a system open to attacks from hackers or viruses. Unfortunately, with all the software a company may have on their systems, it can be difficult to regularly check manufacturers' Web sites and download the latest patches. Hackers count on this, and will exploit such vulnerabilities if given the opportunity.

Because risk management relies on the ability to deal with such incidents, problems within the risk management process can also threaten a company. The loss of key personnel can mean that necessary skill sets and knowledge are unavailable to a company. When a problem arises, people within the company will be unable to fix the problems internally, and must spend time hiring third parties to manage the threat. Even if the staff is available, it will do the company little good if they are unable to react quickly or are so concentrated in their responsibilities that only one person can fix a given problem. Imagine the difficulties that could arise if only one member of the IT staff was familiar with routers, and was away on vacation. With no way to contact them, and no one else able to fix the problem, the threat would remain unresolved for a longer period of time. This is why it is important to ensure that anyone dealing with problems can be contacted, and multiple people are trained to deal with specific risks.

Exercise 5.02: Risks and Threats

A widget manufacturer has decided to install a new server that will act as a Web server. This server will not be connected to the production network. Instead, it will be connected separately to the Internet. The Web site hosted on this server will provide information about the company and its products to people. A contact Web page will also be provided, allowing customers to contact the company and obtain support on products they purchased. When performing risk management on this product, information was acquired from other companies who have used their own Web servers to provide a Web site for customers.

Upon reviewing information provided by the other companies, certain risks and threats were identified. The companies each raised concerns about hackers hacking through the Web server, and making their way into the internal network. A method in which hackers were able to access restricted areas of the Web server was by failing to install a service pack on the operating system. The widget manufacturing company was concerned about this, because they had not installed any service packs on the new Web server. Another issue that was raised involved viruses and other malicious programs, and whether antivirus software should be installed on the server. The other companies stated that viruses and other malicious programs could damage data not only on the server, but also possibly damage data on the internal network.

1. From the information provided, what risks are associated with the widget manufacturing company installing the Web server and hosting their own Web site?

2. What threats will not affect the widget manufacturing company?

3. What are the sources of threats relating to this project?

4. What vulnerabilities exist that could be exploited?

Answers to Exercise Questions

1. Risks associated with the widget manufacturing company installing the Web server are associated with hacking and viruses. If the Web site were hacked, content on the site could be modified or deleted. This could result in the company appearing unprofessional or insecure to the public. If the link to send e-mail to the support people in the company were affected, then customers unaware of this e-mail address would be unable to utilize this method of support. Another risk was viruses or other malicious programs damaging Web content or files needed by the Web server to operate.

2. Threats that will not affect the widget manufacturing company are related to viruses on the Web server infecting the internal network, and hackers accessing the internal network through the Web server. Because the widget manufacturing company has not connected the Web server to the production network, viruses and hackers could only be limited to potentially accessing areas of the Web server.

3. The sources of threats that could be identified through the information given are hackers and viruses.

4. Vulnerabilities that could be exploited include the lack of antivirus software and the failure to apply service packs to the Web server. These vulnerabilities could be exploited by a threat, and put the company at risk.