iAuditor Mobile App Preview

Inspection

HUMAN THREATS

Human Error

• Accidental destruction, modification, disclosure, or incorrect classification of information

• Ignorance: inadequate security awareness, lack of security guidelines, lack of proper documentation, lack of knowledge

• Workload: Too many or too few system administrators, highly pressured users

• Users may inadvertently give information on security weaknesses to attackers

• Incorrect system configuration

• Security policy not adequate

• Security policy not enforced

• Security analysis may have omitted something important or be wrong

Dishonesty: Fraud, theft, embezzlement, selling of confidential agency information

Attacks by “social engineering”

• Attackers may use telephone to impersonate employees to persuade users/administrators to give user name/passwords/modem numbers, etc.

• Attacks by “social engineering”: Attackers may persuade users to execute Trojan Horse programs

Abuse of privileges/trust

GENERAL THREATS

Unauthorized use of “open” computers/Laptops’

Mixing of test and production data or environments

Introduction of unauthorized software or hardware

Time bombs: Software programmed to damage a system on a certain date

Operating system design errors: Certain systems were not designed to be highly secure

Protocol design errors: Certain protocols were not designed to be highly secure. Protocol weaknesses in TCP/IP can result in:

• Source routing, DNS spoofing, TCP sequence guessing, unauthorized access

• Hijacked sessions and authentication session/transaction replay, data is changed or copied during transmission

• Denial of service, due to ICMP bombing, TCP-SYN flooding, large PING packets, etc.

Logic bomb: Software programmed to damage a system under certain conditions

Viruses in programs, documents, e-mail attachments

IDENTIFICATION AUTHORIZATION THREATS

Attack programs masquerading as normal programs (Trojan horses)

Attack hardware masquerading as normal commercial hardware

External attackers masquerading as valid users or customers

Internal attackers masquerading as valid users or customers

Attackers masquerading as helpdesk/support personnel

PRIVACY THREATS

Eavesdropping

Electromagnetic eavesdropping / Ban Eck radiation

Telephone/fax eavesdropping (via “clip-on” telephone bugs, inductive sensors, or hacking the public telephone exchanges

Network eavesdropping. Unauthorized monitoring of sensitive data crossing the internal network, unknown to the data owner

Subversion of ONS to redirect email or other traffic

Subversion of routing protocols to redirect email or other traffic

Radio signal eavesdropping

Rubbish eavesdropping (analyzing waste for confidential documents, etc.)

INTEGRITY / ACCURACY THREATS

Malicious, deliberate damage of information or information processing functions from external sources

Malicious, deliberate damage of information or information processing functions from internal sources

Deliberate modification of information

ACCESS CONTROL THREATS

Password cracking (access to password files, use of bad – blank, default, rarely changed – passwords)

External access to password files, and sniffing of the networks

Attack programs allowing external access to systems (back doors visible to external networks)

Attack programs allowing internal access to systems (back doors visible to internal networks)

Unsecured maintenance modes, developer backdoors

Modems easily connected, allowing uncontrollable extension of the internal network

Bugs in network soft are which can open unknown/unexpected security holes (holes can be exploited from external networks to gain access. This threat grows as software becomes increasingly complex)

Unauthorized physical access to system

REPUDIATION THREAT

Receivers of confidential information may refuse to acknowledge receipt

Senders of confidential information may refuse to acknowledge source

LEGAL THREATS

Failure to comply with regulatory or legal requirements (ie, to protect confidentiality of employee data)

Liability for acts of internal users or attackers who abuse the system to perpetrate unlawful acts (ie, incitement to racism, gambling, money laundering, distribution of pornographic or violent material)

Liability for damages if an internal user attacks other sites.

RELIABILITY OF SERVICE THREATS

Major natural disasters, fire, smoke, water, earthquake, storms/hurricanes/tornadoes, power outages, etc

Minor natural disasters, of short duration, or causing little damage

Major human-caused disasters: war, terrorist incidents, bombs, civil disturbance, dangerous chemicals, radiological accidents, etc

Equipment failure from defective hardware, cabling, or communications system

Equipment failure from airborne dust, electromagnetic interference, or static electricity

Denial of Service:

• Network abuse: Misuse of routing protocols to confuse and mislead systems

• Server overloading (processes, swap space, memory, “tmp” directories, overloading services)

• Email bombing

• Downloading or receipt of malicious Applets, Active X controls, macros, PostScript files, etc

Sabotage: Malicious, deliberate damage of information or information processing functions

• Physical destruction of network interface devices, cables

• Physical destruction of computing devices or media

• Destruction of electronic devices and media by electromagnetic radiation weapons (HERF Gun, EMP/T Gun)

• Deliberate electrical overloads or shutting off electrical power

• Viruses and/or worms. Deletion of critical systems files

COMPLETION

Recommendations

IT Personnel (Full Name and Signature)

Cyber Security Threat Assessment Checklist

Created by: SafetyCulture Staff | Industry: General | Downloads: 8

A cyber security threat assessment checklist helps to identify threats (natural, human, and environmental) that may occur within the information systems. It is used to identify the risk ratings (High, Medium, Low) which may affect the performance of operating environment.

Signup for a free iAuditor account to download and edit this checklist. It will be added to your free account and you will be able to conduct inspections from your mobile device.

Download and edit this free checklist

Browse for other checklists


iauditor logo

The World's #1 Cloud-Based Inspection Software and App

chevron logo
coles logo
emirates logo
overground logo
tesla logo
toyota logo

Inspection

HUMAN THREATS

Human Error

• Accidental destruction, modification, disclosure, or incorrect classification of information

• Ignorance: inadequate security awareness, lack of security guidelines, lack of proper documentation, lack of knowledge

• Workload: Too many or too few system administrators, highly pressured users

• Users may inadvertently give information on security weaknesses to attackers

• Incorrect system configuration

• Security policy not adequate

• Security policy not enforced

• Security analysis may have omitted something important or be wrong

Dishonesty: Fraud, theft, embezzlement, selling of confidential agency information

Attacks by “social engineering”

• Attackers may use telephone to impersonate employees to persuade users/administrators to give user name/passwords/modem numbers, etc.

• Attacks by “social engineering”: Attackers may persuade users to execute Trojan Horse programs

Abuse of privileges/trust

GENERAL THREATS

Unauthorized use of “open” computers/Laptops’

Mixing of test and production data or environments

Introduction of unauthorized software or hardware

Time bombs: Software programmed to damage a system on a certain date

Operating system design errors: Certain systems were not designed to be highly secure

Protocol design errors: Certain protocols were not designed to be highly secure. Protocol weaknesses in TCP/IP can result in:

• Source routing, DNS spoofing, TCP sequence guessing, unauthorized access

• Hijacked sessions and authentication session/transaction replay, data is changed or copied during transmission

• Denial of service, due to ICMP bombing, TCP-SYN flooding, large PING packets, etc.

Logic bomb: Software programmed to damage a system under certain conditions

Viruses in programs, documents, e-mail attachments

IDENTIFICATION AUTHORIZATION THREATS

Attack programs masquerading as normal programs (Trojan horses)

Attack hardware masquerading as normal commercial hardware

External attackers masquerading as valid users or customers

Internal attackers masquerading as valid users or customers

Attackers masquerading as helpdesk/support personnel

PRIVACY THREATS

Eavesdropping

Electromagnetic eavesdropping / Ban Eck radiation

Telephone/fax eavesdropping (via “clip-on” telephone bugs, inductive sensors, or hacking the public telephone exchanges

Network eavesdropping. Unauthorized monitoring of sensitive data crossing the internal network, unknown to the data owner

Subversion of ONS to redirect email or other traffic

Subversion of routing protocols to redirect email or other traffic

Radio signal eavesdropping

Rubbish eavesdropping (analyzing waste for confidential documents, etc.)

INTEGRITY / ACCURACY THREATS

Malicious, deliberate damage of information or information processing functions from external sources

Malicious, deliberate damage of information or information processing functions from internal sources

Deliberate modification of information

ACCESS CONTROL THREATS

Password cracking (access to password files, use of bad – blank, default, rarely changed – passwords)

External access to password files, and sniffing of the networks

Attack programs allowing external access to systems (back doors visible to external networks)

Attack programs allowing internal access to systems (back doors visible to internal networks)

Unsecured maintenance modes, developer backdoors

Modems easily connected, allowing uncontrollable extension of the internal network

Bugs in network soft are which can open unknown/unexpected security holes (holes can be exploited from external networks to gain access. This threat grows as software becomes increasingly complex)

Unauthorized physical access to system

REPUDIATION THREAT

Receivers of confidential information may refuse to acknowledge receipt

Senders of confidential information may refuse to acknowledge source

LEGAL THREATS

Failure to comply with regulatory or legal requirements (ie, to protect confidentiality of employee data)

Liability for acts of internal users or attackers who abuse the system to perpetrate unlawful acts (ie, incitement to racism, gambling, money laundering, distribution of pornographic or violent material)

Liability for damages if an internal user attacks other sites.

RELIABILITY OF SERVICE THREATS

Major natural disasters, fire, smoke, water, earthquake, storms/hurricanes/tornadoes, power outages, etc

Minor natural disasters, of short duration, or causing little damage

Major human-caused disasters: war, terrorist incidents, bombs, civil disturbance, dangerous chemicals, radiological accidents, etc

Equipment failure from defective hardware, cabling, or communications system

Equipment failure from airborne dust, electromagnetic interference, or static electricity

Denial of Service:

• Network abuse: Misuse of routing protocols to confuse and mislead systems

• Server overloading (processes, swap space, memory, “tmp” directories, overloading services)

• Email bombing

• Downloading or receipt of malicious Applets, Active X controls, macros, PostScript files, etc

Sabotage: Malicious, deliberate damage of information or information processing functions

• Physical destruction of network interface devices, cables

• Physical destruction of computing devices or media

• Destruction of electronic devices and media by electromagnetic radiation weapons (HERF Gun, EMP/T Gun)

• Deliberate electrical overloads or shutting off electrical power

• Viruses and/or worms. Deletion of critical systems files

COMPLETION

Recommendations

IT Personnel (Full Name and Signature)