Information Technology Threats and Vulnerabilities

Audience: anyone requesting, conducting or participating in an IT risk assessment.

Introduction

A threat and a vulnerability are not one and the same. A threat is a person or event that has the potential for impacting a valuable resource in a negative manner. A vulnerability is that quality of a resource or its environment that allows the threat to be realized. An armed bank robber is an example of a threat. A bank teller is an example of a valuable resource that may be vulnerable during a bank robbery. Bullet-proof glass between the robber and the teller denies the robber the opportunity to shoot the teller. The threat remains present, but one of its harmful effects (a gun shot) has been mitigated by a protection mechanism (the glass).

In system and network security, the threats remain present but are mitigated through the proper use of security features and procedures. Mitigation is any effort to prevent the threat from having a negative impact, or to limit the damage where total prevention is not possible, or to improve the speed or effectiveness of the recovery effort.

Hardware and software systems and the data they process can be vulnerable to a wide variety of threats. The selection of security features and procedures must be based not only on general security objectives but also on the specific vulnerabilities of the system in question in light of the threats to which the system is exposed. It is possible to over-protect, which only wastes resources and inconveniences users.

As you can see, there is a relationship between threats and vulnerabilities. Sometimes it is easier to examine each potential threat and determine the extent to which you are vulnerable (e.g. fire, flood, earthquake). In other cases it is easier to look for potential vulnerabilities with no particular threat in mind (e.g. improper mounting of equipment, media failure, data entry error). In order to arrive at a complete risk assessment, both perspectives must be examined. Threats and vulnerabilities are intermixed in the following list and can be referred to collectively as potential "security concerns."

For ease of discussion and use, concerns can be divided into four categories. Environmental concerns include undesirable site-specific chance occurrences such as lightning, dust and sprinkler activation. Physical concerns include undesirable site-specific personnel actions, either intentional or unintentional, such as theft, vandalism and trip hazards. Site-Support concerns include foundational site aspects such as electrical power, telephone service and climate control. These three categories of concerns are generally not resolvable as part of system design and administration - they are more appropriately addressed as part of facility design and maintenance, thereby encompassing all systems present.

The final category, Technical concerns, includes insidious system-specific situations such as improper system operation, malicious software and line tapping. The actual threats are few: untrained and nefarious users and system calamities. It is far more useful to explore the many avenues (vulnerabilities) open to these users and events, and to consider ways to prevent these occurrences and/or provide for rapid recovery.

The following list is meant to be used as a starting point in any IT risk assessment. Each potential concern must be evaluated for a particular site or system to determine the extent to which it applies. The probability of its occurrence, coupled with the projected impact of the event and the cost of the appropriate mitigation yields a prioritized list of security concerns that should be addressed.

Environmental (undesirable site-specific chance occurrences)

Physical (undesirable site-specific personnel actions)

Site-Support (foundational site aspects)
  • Power Outage
  • Extreme / Unstable Temperatures
  • Extreme / Unstable Humidity
  • Unsafe Environment - unfit for human occupation
  • Facility Inaccessibility - blocked ingress
  • Inability to Cut Power - during fire, flood, etc.
  • Electrical Noise / Bad Ground - suggested by flickering lights or jittery workstation displays
  • Improper Maintenance - unqualified support or preventive maintenance behind schedule
  • Personnel Unavailability - inability to contact operations or support personnel
  • Telephone Failure - inability to contact site from outside, inability to call out, service completely unavailable
  • Inappropriate Fire Suppression - water, foam, PKP, Halon
  • Inappropriate Trash Disposal - sensitive data released in an unauthorized manner

Technical (insidious system-specific situations)

  • Improper / Inadequate Procedure - foreseeable events not supported by complete and accurate documentation and training
  • Improper Operation - operating equipment beyond capacity or outside of manufacturer's constraints
  • Improper Hardware Configuration - prescribed hardware configured in other than the prescribed manner during installation
  • Improper Software Configuration - prescribed software configured in other than the prescribed manner during installation
  • Unauthorized Hardware / Modification - adding other-than-prescribed hardware or making unauthorized hardware modifications
  • Unauthorized Software / Modification - adding other-than-prescribed software or making unauthorized software modifications
  • Unauthorized Software Duplication - creating copies of licensed software that are not covered by a valid license
  • Unauthorized Logical Access - acquiring the use of a system for which no access has been authorized (as opposed to gaining physical access to the hardware)
  • Malfeasance (exceeding authorizations) - acquiring the use of a system in excess of that which has been authorized
  • Unsanctioned Use / Exceeding Licensing - utilizing authorized system resources for unauthorized purposes (resume, church bulletin, non-job-related e-mail or Internet browsing) or exceeding a user licensing agreement
  • Over- or Under-Classification - labeling of a resource at a higher or lower level of sensitivity than appropriate
  • Malicious Software - software whose purpose is to degrade system performance, modify or destroy data, steal resources or subvert security in any manner
  • Hardware Error / Failure [functionality] - hardware that stops providing the desired user services/resources
  • Hardware Error / Failure [security] - hardware that stops providing the desired security services/resources
  • Software Error / Failure [functionality] - software that stops providing the desired user services/resources
  • Software Error / Failure [security] - software that stops providing the desired security services/resources
  • Media Failure - storage media that stops retaining stored information in a retrievable/intact manner
  • Data Remanence - storage media that retains stored information in a retrievable/intact manner longer than desired (failure to totally erase)
  • Object Reuse - a system providing the user with a storage object (e.g. memory or disk space) that contains useful information belonging to another user
  • Communications Failure / Overload - a communications facility that stops providing service or is unable to provide service at the requested capacity
  • Communications Error - a communications facility that provides inaccurate service
  • Data Entry Error - a system accepting erroneous data as legitimate
  • Accidental Software Modification / Deletion - deleting or otherwise making unavailable necessary software
  • Accidental Data Modification / Deletion - deleting or otherwise making unavailable necessary data
  • Accidental Data Disclosure - inadvertently revealing sensitive data to an unauthorized user
  • Repudiation - participating in a process or transaction but then denying having done so
  • Masquerading - participating in a process or transaction but posing as another user
  • Message Playback - recording a legitimate transmission for retransmission at a later time in an attempt to gain unauthorized privileges
  • Message Flooding - generating an inordinately large quantity of transmissions in an attempt to make a system or service unavailable due to overload
  • Line Tapping - connecting to a communications facility in an unauthorized manner in an attempt to glean useful information
  • Electronic Emanations - information-bearing spurious emissions associated with all electronic equipment (prevented by TEMPEST equipment or shielding)
  • Geo-location - a system inadvertently revealing the current physical location of a user

    NOTE: The above list of Technical concerns is somewhat generic but is useful during system design and remains useful at a high level during system audits; a more detailed list of system-specific vulnerabilities would be so long and dynamic as to be unmanageable - automated tools should be used to identify operating system-, application- and middle-ware-specific vulnerabilities.