Tackling threats to the organisation
about various threats to your business is a good first step towards preventing
them. Here are a few instances of internal and external threats that a CIO should
look out for. by Narayan Sau.
A threat is a potential occurrence that can have an undesirable effect on the
systems assets or resources and is a danger that may have undesirable
consequences. Internal security attacks can be either malicious or inadvertent
in nature. Regardless of what prompts an internal security breach, one thing
is certain: the impact of internal security issues has negative repercussions
on an organisation from a technical and a business perspective.
Awareness of information security continues to grow with new reports of hackers,
organised crime, fringe groups, internal espionage and even terrorists exploiting
technology for their own profit and motives. Many enterprises have suffered
losses that can no longer be considered a part of the cost of doing business.
As businesses venture into e-commerce, the need for secure networks is imperative.
Banking and telecommunications are dependent on the availability of reliable
and secure networks. As network connectivity increases at a rate beyond the
capacity to implement controls, market pressures on hardware and software vendors
reduce the introduction of security features and testing prior to products being
released. Retrofitting security into existing systems and applications is difficult,
expensive, and, in some cases, impossible without serious operational impact.
Few organisations understand and qualify specific threats in order to evaluate
risks accurately. The consequences can be extreme. Not only are some threats
overlooked, but also resources and budgets are misapplied to threats that do
not exist or have a minimal impact.
The technology is changing faster than traditional risk assessment models can
adapt to a new working environment. Organisations are not only increasing the
size of their networks by adding more systems, they are also adding new dimensions
of connectivity and complexity. Back-end business processes such as suppliers,
contractors and partners, and front-end processes such as clients and customers
are increasingly integrated into a seamless network.
To make matters worse, the inherently insecure Internet and underlying telecommunications
infrastructure are the de facto standard when it comes to providing connectivity.
They are top priority in terms of security concerns.
The definition of internal threats is broadening. It is no longer about the
disgruntled and dissatisfied employee within the company who misuses confidential
information. Its also where users are accessing systems and data. It is
fairly easy to create a small piece of software that will attack the internal
network once it is planted on any computer system within the corporate network.
Distributing the programme can be done by anyone without any special computer
skills. In most cases, the person who installs the malicious software is not
aware of it.
WAYS TO HARM
Once a malicious programme has been installed, it can cause harm in various
ways. The most typical mechanisms are:
- Gaining user access and pretending to be a legitimate
user taking action.
- Capturing confidential data for industrial espionage
or other purposes.
- Destroying corporate data to do financial damage.
- Causing network and system shortages to paralyse
the companys operations.
Security threats arising from within are increasing the operational
risks of businesses. There may be a loss of reputation in the esteem of customers,
partners and investors. There may also be a risk of business interruption and
violation of legal and regulatory requirements to protect sensitive customer
information. Two other factors are:
- Unauthorised access to information where access
includes disclosure, modification and destruction.
- Unauthorised users, i.e. individuals who have not
been granted the right to access the system.
Social engineering is being used to obtain confidential information by manipulating
legitimate users. It is a new type of internal attack similar to phishing
in which a malicious insiderwith access to company informationtricks
other users into providing access to restricted information.
Social engineers rely on the fact that people are not aware of the value of
the information they possess and are careless about protecting it. These malcontents
will search dumpsters or take advantage of peoples natural inclination
to choose passwords that are meaningful to them (like a close relatives
name or date of birth, or names of gods and goddesses) but can be easily guessed.
Social engineering remains a key threat to any security system.
OTHER INTERNAL THREATS
There may be loss of data, data corruption, and backup failures which lead to
There may also be embezzlement and theft of Call Detail Records (CDRs). At telcos,
internal users sometimes bypass the usage record from billing for some subscribers
by deleting the CDRs from the database or by changing the programme to overlook
may be identity theft of a customers valuable information such as credit
card information, address and date of birth.
Identity theft and fraud are terms used to refer to all types of crime in which
someone wrongfully obtains and uses another persons personal data in some
way that involves fraud or deception, typically for economic gain.
Information used in biometrics (face image, palm print, hand geometry, fingerprint,
iris/retina scan, voice recognition and handwriting) are unique to a person
and cannot be given to someone else for their use. However, personal data, especially
a bank account or credit card number, telephone calling card number, and other
valuable identity data can be used by the wrong people for malicious purposes.
NOT SO INNOCENT
Browsing Web sites and using Web-based e-mail can seem an innocent activity
to the user, but both activities can disrupt normal business activity. There
are viruses (e.g. Choke virus) that are specifically aimed at Instant Messaging
(IM) systems. Anti-virus tools at the gateway do not detect IM, so infected
files can seep into the desktop and then into the network. Also, listening to
music leads to a threat from passive viruses.
Sometimes, when a companys log book or notebook is lost, some important
information may be at risk.
External threats are mixed threats that combine multiple characteristics such
as worm, virus, spam and denial of service (DoS). Everyday, hundreds of new
ways are discovered by intruders and hackers. There are more than 30,000 hacking-oriented
Web sites, so it no longer needs a guru to hack a site.
Here are some of the common external threats.
- DoS: An attacker may try to flood the system with
a large number of messages, causing a system overload and possibly leading
to a denial of service situation where users are unable to access the service.
- Intercept messages: An attacker may intercept and
read the content of messages (including the message origin and final destination,
arrival and departure order and time) exchanged by users.
- Viruses and worms: These originate from outside
sources, either targeted at the company or randomly spread on the network
through users or the Internet. It leads to situations such as Web site defacement,
and nasty viruses and worms that tunnel their way into a network and destroy
or alter data and applications, and monopolise system resources by duplicating
and spreading themselves.
- System disruption: Damage or destruction of physical
environment due to fire, political violence and earthquakes.
FOR THE CIO
CIOs should give the above internal and external threats
the highest priority in their organisations and devise the necessary strategies
and policies to counter them. There are many challenges ahead, but only a well-informed
CIO can successfully understand threats, prioritise risks, and remedy the situation.
The author works with Amdocs Inc, US