Human Error

• Accidental destruction, modification, disclosure, or incorrect classification of information

• Ignorance: inadequate security awareness, lack of security guidelines, lack of proper documentation, lack of knowledge

• Workload: Too many or too few system administrators, highly pressured users

• Users may inadvertently give information on security weaknesses to attackers

• Incorrect system configuration

• Security policy not adequate

• Security policy not enforced

• Security analysis may have omitted something important or be wrong

Dishonesty: Fraud, theft, embezzlement, selling of confidential agency information

Attacks by “social engineering”

• Attackers may use telephone to impersonate employees to persuade users/administrators to give user name/passwords/modem numbers, etc.

• Attacks by “social engineering”: Attackers may persuade users to execute Trojan Horse programs

Abuse of privileges/trust


Unauthorized use of “open” computers/Laptops’

Mixing of test and production data or environments

Introduction of unauthorized software or hardware

Time bombs: Software programmed to damage a system on a certain date

Operating system design errors: Certain systems were not designed to be highly secure

Protocol design errors: Certain protocols were not designed to be highly secure. Protocol weaknesses in TCP/IP can result in:

• Source routing, DNS spoofing, TCP sequence guessing, unauthorized access

• Hijacked sessions and authentication session/transaction replay, data is changed or copied during transmission

• Denial of service, due to ICMP bombing, TCP-SYN flooding, large PING packets, etc.

Logic bomb: Software programmed to damage a system under certain conditions

Viruses in programs, documents, e-mail attachments


Attack programs masquerading as normal programs (Trojan horses)

Attack hardware masquerading as normal commercial hardware

External attackers masquerading as valid users or customers

Internal attackers masquerading as valid users or customers

Attackers masquerading as helpdesk/support personnel



Electromagnetic eavesdropping / Ban Eck radiation

Telephone/fax eavesdropping (via “clip-on” telephone bugs, inductive sensors, or hacking the public telephone exchanges

Network eavesdropping. Unauthorized monitoring of sensitive data crossing the internal network, unknown to the data owner

Subversion of ONS to redirect email or other traffic

Subversion of routing protocols to redirect email or other traffic

Radio signal eavesdropping

Rubbish eavesdropping (analyzing waste for confidential documents, etc.)


Malicious, deliberate damage of information or information processing functions from external sources

Malicious, deliberate damage of information or information processing functions from internal sources

Deliberate modification of information


Password cracking (access to password files, use of bad – blank, default, rarely changed – passwords)

External access to password files, and sniffing of the networks

Attack programs allowing external access to systems (back doors visible to external networks)

Attack programs allowing internal access to systems (back doors visible to internal networks)

Unsecured maintenance modes, developer backdoors

Modems easily connected, allowing uncontrollable extension of the internal network

Bugs in network soft are which can open unknown/unexpected security holes (holes can be exploited from external networks to gain access. This threat grows as software becomes increasingly complex)

Unauthorized physical access to system


Receivers of confidential information may refuse to acknowledge receipt

Senders of confidential information may refuse to acknowledge source


Failure to comply with regulatory or legal requirements (ie, to protect confidentiality of employee data)

Liability for acts of internal users or attackers who abuse the system to perpetrate unlawful acts (ie, incitement to racism, gambling, money laundering, distribution of pornographic or violent material)

Liability for damages if an internal user attacks other sites.


Major natural disasters, fire, smoke, water, earthquake, storms/hurricanes/tornadoes, power outages, etc

Minor natural disasters, of short duration, or causing little damage

Major human-caused disasters: war, terrorist incidents, bombs, civil disturbance, dangerous chemicals, radiological accidents, etc

Equipment failure from defective hardware, cabling, or communications system

Equipment failure from airborne dust, electromagnetic interference, or static electricity

Denial of Service:

• Network abuse: Misuse of routing protocols to confuse and mislead systems

• Server overloading (processes, swap space, memory, “tmp” directories, overloading services)

• Email bombing

• Downloading or receipt of malicious Applets, Active X controls, macros, PostScript files, etc

Sabotage: Malicious, deliberate damage of information or information processing functions

• Physical destruction of network interface devices, cables

• Physical destruction of computing devices or media

• Destruction of electronic devices and media by electromagnetic radiation weapons (HERF Gun, EMP/T Gun)

• Deliberate electrical overloads or shutting off electrical power

• Viruses and/or worms. Deletion of critical systems files



IT Personnel (Full Name and Signature)