Title Page
-
Department
-
Date and Time of Inspection
-
IT Personnel
HUMAN THREATS
-
Human Error
-
• Accidental destruction, modification, disclosure, or incorrect classification of information
-
• Ignorance: inadequate security awareness, lack of security guidelines, lack of proper documentation, lack of knowledge
-
• Workload: Too many or too few system administrators, highly pressured users
-
• Users may inadvertently give information on security weaknesses to attackers
-
• Incorrect system configuration
-
• Security policy not adequate
-
• Security policy not enforced
-
• Security analysis may have omitted something important or be wrong
-
Dishonesty: Fraud, theft, embezzlement, selling of confidential agency information
-
Attacks by “social engineering”
-
• Attackers may use telephone to impersonate employees to persuade users/administrators to give user name/passwords/modem numbers, etc.
-
• Attacks by “social engineering”: Attackers may persuade users to execute Trojan Horse programs
-
Abuse of privileges/trust
GENERAL THREATS
-
Unauthorized use of “open” computers/Laptops’
-
Mixing of test and production data or environments
-
Introduction of unauthorized software or hardware
-
Time bombs: Software programmed to damage a system on a certain date
-
Operating system design errors: Certain systems were not designed to be highly secure
-
Protocol design errors: Certain protocols were not designed to be highly secure. Protocol weaknesses in TCP/IP can result in:
-
• Source routing, DNS spoofing, TCP sequence guessing, unauthorized access
-
• Hijacked sessions and authentication session/transaction replay, data is changed or copied during transmission
-
• Denial of service, due to ICMP bombing, TCP-SYN flooding, large PING packets, etc.
-
Logic bomb: Software programmed to damage a system under certain conditions
-
Viruses in programs, documents, e-mail attachments
IDENTIFICATION AUTHORIZATION THREATS
-
Attack programs masquerading as normal programs (Trojan horses)
-
Attack hardware masquerading as normal commercial hardware
-
External attackers masquerading as valid users or customers
-
Internal attackers masquerading as valid users or customers
-
Attackers masquerading as helpdesk/support personnel
PRIVACY THREATS
-
Eavesdropping
-
Electromagnetic eavesdropping / Ban Eck radiation
-
Telephone/fax eavesdropping (via “clip-on” telephone bugs, inductive sensors, or hacking the public telephone exchanges
-
Network eavesdropping. Unauthorized monitoring of sensitive data crossing the internal network, unknown to the data owner
-
Subversion of ONS to redirect email or other traffic
-
Subversion of routing protocols to redirect email or other traffic
-
Radio signal eavesdropping
-
Rubbish eavesdropping (analyzing waste for confidential documents, etc.)
INTEGRITY / ACCURACY THREATS
-
Malicious, deliberate damage of information or information processing functions from external sources
-
Malicious, deliberate damage of information or information processing functions from internal sources
-
Deliberate modification of information
ACCESS CONTROL THREATS
-
Password cracking (access to password files, use of bad – blank, default, rarely changed – passwords)
-
External access to password files, and sniffing of the networks
-
Attack programs allowing external access to systems (back doors visible to external networks)
-
Attack programs allowing internal access to systems (back doors visible to internal networks)
-
Unsecured maintenance modes, developer backdoors
-
Modems easily connected, allowing uncontrollable extension of the internal network
-
Bugs in network soft are which can open unknown/unexpected security holes (holes can be exploited from external networks to gain access. This threat grows as software becomes increasingly complex)
-
Unauthorized physical access to system
REPUDIATION THREAT
-
Receivers of confidential information may refuse to acknowledge receipt
-
Senders of confidential information may refuse to acknowledge source
LEGAL THREATS
-
Failure to comply with regulatory or legal requirements (ie, to protect confidentiality of employee data)
-
Liability for acts of internal users or attackers who abuse the system to perpetrate unlawful acts (ie, incitement to racism, gambling, money laundering, distribution of pornographic or violent material)
-
Liability for damages if an internal user attacks other sites.
RELIABILITY OF SERVICE THREATS
-
Major natural disasters, fire, smoke, water, earthquake, storms/hurricanes/tornadoes, power outages, etc
-
Minor natural disasters, of short duration, or causing little damage
-
Major human-caused disasters: war, terrorist incidents, bombs, civil disturbance, dangerous chemicals, radiological accidents, etc
-
Equipment failure from defective hardware, cabling, or communications system
-
Equipment failure from airborne dust, electromagnetic interference, or static electricity
-
Denial of Service:
-
• Network abuse: Misuse of routing protocols to confuse and mislead systems
-
• Server overloading (processes, swap space, memory, “tmp” directories, overloading services)
-
• Email bombing
-
• Downloading or receipt of malicious Applets, Active X controls, macros, PostScript files, etc
-
Sabotage: Malicious, deliberate damage of information or information processing functions
-
• Physical destruction of network interface devices, cables
-
• Physical destruction of computing devices or media
-
• Destruction of electronic devices and media by electromagnetic radiation weapons (HERF Gun, EMP/T Gun)
-
• Deliberate electrical overloads or shutting off electrical power
-
• Viruses and/or worms. Deletion of critical systems files
COMPLETION
-
Recommendations
-
IT Personnel (Full Name and Signature)
