Information Security Vulnerabilities – Threats and Vulnerabilities
Threat—a potential cause of an incident that may result in harm to a system or organization.
Vulnerability—a weakness of an asset (resource) or a group of assets that can be exploited by
one or more threats
Risk—potential for loss, damage, or destruction of an asset as a result of a threat exploiting a
Example: In a system that allows weak passwords,
– Vulnerability—password is vulnerable for dictionary or exhaustive key attacks
– Threat—An intruder can exploit the password weakness to break into the system
– Risk—the resources within the system are prone for illegal access/modify/damage by
the intruder.
Threat agent—entities that would knowingly seek to manifest a threat

Risk = Threats x Vulnerabilities:

Components of a Threat:

– Threat agents—criminals, terrorists, subversive or secret groups,
state sponsored, disgruntled employees,, hackers, pressure groups,
commercial groups
– Capability—software, technology, facilities, education and training,
methods, books and manuals
– Threat inhibitors—fear of capture, fear of failure, level of technical
difficulty, cost of participation, sensitivity to public perception, law
enforcement activity, target vulnerability, target profile, public
perception, peer perception
– Threat amplifiers—peer pressure, fame, access to information,
changing high technology, deskilling through scripting, skills and
education levels, law enforcement activity, target vulnerability,
target profile, public perception, peer perception
– Threat catalysts—events, technology changes, personal
– Threat agent motivators—political, secular, personal gain, religion,
power, terrorism, curiosity

Threat Agents:
– Natural—fire, floods, power failure, earth quakes, etc.
– Unintentional—insider, outsider—primarily non-hostile
– Intentional—Insider, outsider—hostile or non-hostile (curious)
• Foreign agents, industrial espionage, terrorists, organized
crime, hackers and crackers, insiders, political dissidents,
vendors and suppliers

Major Security Threats on Information Systems:

  1. Intrusion or Hacking—gaining access to a computer system without the knowledge of
    its owner—Tools: . Poor Implementation of Shopping Carts, Hidden fields in the html
    forms, Client-side validation scripts, Direct SQL attack, Session Hijacking, Buffer
    Overflow Forms,PortScan.
  2. Viruses and Worms— programs that make computer systems not to work properly—
    Polymorphic Virus, Stealth Virus, Tunneling Virus, Virus Droppers, Cavity Virus
  3. Trojan Horse— These programs are having two components; one runs as a server and
    another one runs as a client; data integrity attack, steal private information on the
    target system, store key strokes and make it viewable for hackers, sending private local
    as an email attachment.
  4. Spoofing—fooling other computer users to think that the source of their information
    is coming from a legitimate user—IP Spoofing, DNS Spoofing, ARP Spoofing
  5. Sniffing—used by hackers for scanning login_ids and passwords over the wires.
    TCPDUmp and Snoop are better examples for sniffing tools.
  6. Denial of Service—The main aim of this attack is to bring down the targeted network
    and make it to deny the service for legitimate users. In order to do DoS attacks, people
    do not need to be an expert. They can do this attack with simple ping command

• Some weakness of a system that could allow security to be at risk.”
• Types of vulnerabilities
– Physical vulnerabilities
– Natural vulnerabilities
– Hardware/software vulnerabilities
– Media vulnerabilities (e.g., stolen/damaged disk/tapes)
– Emanation vulnerabilities—due to radiation
– Communication vulnerabilities
– Human vulnerabilities

How do the vulnerabilities manifest?
• The different types of vulnerabilities manifest themselves via several misuses:
– External misuse—visual spying, misrepresenting, physical scavenging
– Hardware misuse—logical scavenging, eavesdropping, interference, physical attack,
physical removal
– Masquerading—impersonation, piggybacking attack, spoofing attacks, network weaving

– Pest programs—Trojan horse attacks, logic bombs, malevolent worms, virus attacks
– Bypasses—Trapdoor attacks, authorization attacks (e.g., password cracking)
– Active misuse—basic active attack, incremental attack, denial of service
– Passive misuse—browsing, interference, aggregation, covert channels

Examples of Information Security Vulnerabilities:
• Information security vulnerabilities are weaknesses that expose an organization to risk.
• Through employees: Social interaction, Customer interaction, Discussing work in public
locations, Taking data out of the office (paper, mobile phones, laptops), Emailing documents and
data, Mailing and faxing documents, Installing unauthorized software and apps, Removing or
disabling security tools, Letting unauthorized persons into the office (tailgating) , Opening spam
emails, Connecting personal devices to company networks, Writing down passwords and
sensitive data, Losing security devices such as id cards, Lack of information security awareness,
Keying data
• Through former employees—Former employees working for competitors, Former employees
retaining company data, Former employees discussing company matters
• Though Technology—Social networking, File sharing, Rapid technological changes, Legacy
systems, Storing data on mobile devices such as mobile phones, Internet browsers
• Through hardware—. Susceptibility to dust, heat and humidity, Hardware design flaws, Out of
date hardware, Misconfiguration of hardware
• Through software—Insufficient testing, Lack of audit trail, Software bugs and design faults,
Unchecked user input, Software that fails to consider human factors, Software complexity
(bloatware), Software as a service (relinquishing control of data), Software vendors that go out of
business or change ownership
• Through Network—Unprotected network communications, Open physical connections, IPs and
ports, Insecure network architecture, Unused user ids, Excessive privileges, Unnecessary jobs and
scripts executing , Wifi networks
• Through IT Management—Insufficient IT capacity , Missed security patches, Insufficient
incident and problem management, Configuration errors and missed security notices , System
operation errors, Lack of regular audits, Improper waste disposal, Insufficient change
management, Business process flaws, Inadequate business rules, Inadequate business controls,
Processes that fail to consider human factors, Overconfidence in security audits, Lack of risk
analysis, Rapid business change, Inadequate continuity planning Lax recruiting processes
• Partners and suppliers—Disruption of telecom services, Disruption of utility services such as
electric, gas, water, Hardware failure, Software failure, Lost mail and courier packages, Supply
disruptions, Sharing confidential data with partners and suppliers