Increasing vulnerability of organizational information assets
1. Today’s interconnected, interdependent, wirelessly-networked business environment
• Internet will make computer to freely and easy to access and communicate to the network and organization or individual are being exposed to untrusted network which is network external to your organization.
• Wirelessly-network are important because can be access anytime and anywhere. That makes matters become worse.
2. Government legislation
• Many types of information must be protected by law
• Cyber Security Malaysia is an agency under MOSTI. That protect data and information that securing of cyberspace in Malaysia.
• Besides that, it gives security awareness information to Malaysian citizen.
3. Smaller, faster, cheaper computers and storage devices
• Now thumb drives are in small size, because they compress the microchip. Besides that, the capacity of the thumb drive are getting bigger that make user can steal the information easily.
4. Decreasing skills necessary to be a computer hacker
• Information inside the internet is easy to download and can be used to attack any information system connected to internet.
5. International organized crime taking over cybercrime.
• iDefenses (http://labs.idefense.com)- is a company providing security information to government and fortune 500 companies.
6. Downstream liability
• Company A are compromised by a perpetrator and used to attack company B’s system. So, company A are liable damages to company B and company B is “downstream” from company A in this attack
7. Increased employee use of unmanaged devices
8. Lack of management support
Threats to information system
1. Unintentional acts
a) Human error
• First category of organizational employees is compromised regular employees, who span the breadth and depth of the organization , ranging from mail to all functional areas.
• Second category of organizational employees include contract labor, consultants and janitors and guards.
• Human error or mistakes by employees caused by laziness, carelessness or lack of information security awareness pose a large problem for organization.
• Example: Carelessness of people that losing or misplace the device such as thumb drive also misplacing the laptop.
• Poor password selection and use: Using weak password such as birthday and fathers name.
b) Social engineering and reverse engineering
• Social engineering- attack whereby the perpetrator uses social skills to trick or manipulate a legitimate employee into providing confidential company information such as password.
• Example: The attacker impersonate someone as in telephone and tell that they forgot the password or attacker loaded by Trojan horse program that collect the password and information
• Reverse social engineering-the employees approach the attacker.
c) Deviations in the quality of service-by-service provider
• Consists of situations in which the product or service is not delivered to organizations as expected.
• Example: Your internet service provider has availability problems.
d) Environmental hazards
• Included dirt, dust, humility and static electricity.
• Example: Lots of dust in wire computer that may causes of harmful to the computer operation.
2. Natural disasters
• Include floods, earthquakes, hurricane, tornados, lightning, and fires
• Example, internet modem cannot be on during lightning because it may causes of problem to the connection.
3. Technical failures
• Includes problems with hardware and software.
• Hardware-crash on hard disk drive such as too much data that make computer slow with their system
• Software-errors called bugs in computer program. In programming.
4. Management failures
• Lack of funding information security
• Lack of interest
• Lack of leadership-lack of monitoring the employee.
• Lack of financial
5. Deliberate acts
a) Espionage or trespass
• Unauthorized individual attempts to gain illegal access to organizational information
• Example : IT systems that being protected by against unauthorized use through identification and authentication functions, for example user ID and password verification. The password are sent through the network are unencrypted, then the attacker could easily read the password and ID.
b) Information Extortion
• Attacker either threatens to steal or actually steals, information from a company.
c) Sabotage or vandalism
• Damaging of objects with the aim of inflicting damage on the victim. Computer centers or communications links owned by an official body or company make particularly attractive targets, as a major effect can be achieved here with only slender means.
d) Theft of equipment and information
• Devices are becoming easier to steal and easier for attackers to use and steal the information.
e) Identity theft
• Steal the person identity information. Such as stealing personal e-mail, information and database.
Compromises to intellectual property
1. Intellectual property under the trade secret, patent, and copyright laws.
• Trade secret-Company secret and is not based on public information. Business plan.
• Patent-document that grants the holder exclusives rights on invention of process for 2 years.
Eg: Mustika Ratu only belongs to it’s company.
• Copyright-statutory grant that provides the creates of intellectual property with ownership of the property for the life of the creator plus 70 years. Owners can collect the fees from anyone who wants the copy property.
Eg: Company names.
2.. Software attack
o Malicious software tried to infects as many computers world wide as possible.
3. Alien Software – adware, spyware, spamware, and cookies.
• Eg: Report our web surfing habits and other personal behaviour.
4. Supervising Control and Data Acquisition (SCADA) Attacks.
• Large scales distributes measurements and control systems that used to control or monitor chemical, physical or transport process.
• Eg: Sending the signals to equipment, such opening and closing a switch.
5. Cyberterrorism and Cyberwarfare.
• Range from gathering data to attacking critical infrastructure.
Research from : INTRODUCTION TO INFORMATION SYSTEMS (enabling and transforming business)-International Student Version
writer : R. KELLY RAINER Jr. and EFRAIM TURBAN