Title Page

  • Department

  • Date and Time of Inspection

  • IT Personnel

HUMAN THREATS

  • Human Error

  • • Accidental destruction, modification, disclosure, or incorrect classification of information

  • • Ignorance: inadequate security awareness, lack of security guidelines, lack of proper documentation, lack of knowledge

  • • Workload: Too many or too few system administrators, highly pressured users

  • • Users may inadvertently give information on security weaknesses to attackers

  • • Incorrect system configuration

  • • Security policy not adequate

  • • Security policy not enforced

  • • Security analysis may have omitted something important or be wrong

  • Dishonesty: Fraud, theft, embezzlement, selling of confidential agency information

  • Attacks by “social engineering”

  • • Attackers may use telephone to impersonate employees to persuade users/administrators to give user name/passwords/modem numbers, etc.

  • • Attacks by “social engineering”: Attackers may persuade users to execute Trojan Horse programs

  • Abuse of privileges/trust

GENERAL THREATS

  • Unauthorized use of “open” computers/Laptops’

  • Mixing of test and production data or environments

  • Introduction of unauthorized software or hardware

  • Time bombs: Software programmed to damage a system on a certain date

  • Operating system design errors: Certain systems were not designed to be highly secure

  • Protocol design errors: Certain protocols were not designed to be highly secure. Protocol weaknesses in TCP/IP can result in:

  • • Source routing, DNS spoofing, TCP sequence guessing, unauthorized access

  • • Hijacked sessions and authentication session/transaction replay, data is changed or copied during transmission

  • • Denial of service, due to ICMP bombing, TCP-SYN flooding, large PING packets, etc.

  • Logic bomb: Software programmed to damage a system under certain conditions

  • Viruses in programs, documents, e-mail attachments

IDENTIFICATION AUTHORIZATION THREATS

  • Attack programs masquerading as normal programs (Trojan horses)

  • Attack hardware masquerading as normal commercial hardware

  • External attackers masquerading as valid users or customers

  • Internal attackers masquerading as valid users or customers

  • Attackers masquerading as helpdesk/support personnel

PRIVACY THREATS

  • Eavesdropping

  • Electromagnetic eavesdropping / Ban Eck radiation

  • Telephone/fax eavesdropping (via “clip-on” telephone bugs, inductive sensors, or hacking the public telephone exchanges

  • Network eavesdropping. Unauthorized monitoring of sensitive data crossing the internal network, unknown to the data owner

  • Subversion of ONS to redirect email or other traffic

  • Subversion of routing protocols to redirect email or other traffic

  • Radio signal eavesdropping

  • Rubbish eavesdropping (analyzing waste for confidential documents, etc.)

INTEGRITY / ACCURACY THREATS

  • Malicious, deliberate damage of information or information processing functions from external sources

  • Malicious, deliberate damage of information or information processing functions from internal sources

  • Deliberate modification of information

ACCESS CONTROL THREATS

  • Password cracking (access to password files, use of bad – blank, default, rarely changed – passwords)

  • External access to password files, and sniffing of the networks

  • Attack programs allowing external access to systems (back doors visible to external networks)

  • Attack programs allowing internal access to systems (back doors visible to internal networks)

  • Unsecured maintenance modes, developer backdoors

  • Modems easily connected, allowing uncontrollable extension of the internal network

  • Bugs in network soft are which can open unknown/unexpected security holes (holes can be exploited from external networks to gain access. This threat grows as software becomes increasingly complex)

  • Unauthorized physical access to system

REPUDIATION THREAT

  • Receivers of confidential information may refuse to acknowledge receipt

  • Senders of confidential information may refuse to acknowledge source

LEGAL THREATS

  • Failure to comply with regulatory or legal requirements (ie, to protect confidentiality of employee data)

  • Liability for acts of internal users or attackers who abuse the system to perpetrate unlawful acts (ie, incitement to racism, gambling, money laundering, distribution of pornographic or violent material)

  • Liability for damages if an internal user attacks other sites.

RELIABILITY OF SERVICE THREATS

  • Major natural disasters, fire, smoke, water, earthquake, storms/hurricanes/tornadoes, power outages, etc

  • Minor natural disasters, of short duration, or causing little damage

  • Major human-caused disasters: war, terrorist incidents, bombs, civil disturbance, dangerous chemicals, radiological accidents, etc

  • Equipment failure from defective hardware, cabling, or communications system

  • Equipment failure from airborne dust, electromagnetic interference, or static electricity

  • Denial of Service:

  • • Network abuse: Misuse of routing protocols to confuse and mislead systems

  • • Server overloading (processes, swap space, memory, “tmp” directories, overloading services)

  • • Email bombing

  • • Downloading or receipt of malicious Applets, Active X controls, macros, PostScript files, etc

  • Sabotage: Malicious, deliberate damage of information or information processing functions

  • • Physical destruction of network interface devices, cables

  • • Physical destruction of computing devices or media

  • • Destruction of electronic devices and media by electromagnetic radiation weapons (HERF Gun, EMP/T Gun)

  • • Deliberate electrical overloads or shutting off electrical power

  • • Viruses and/or worms. Deletion of critical systems files

COMPLETION

  • Recommendations

  • IT Personnel (Full Name and Signature)

The templates available in our Public Library have been created by our customers and employees to help get you started using SafetyCulture's solutions. The templates are intended to be used as hypothetical examples only and should not be used as a substitute for professional advice. You should seek your own professional advice to determine if the use of a template is permissible in your workplace or jurisdiction. You should independently determine whether the template is suitable for your circumstances.