B Common Threats
by Steven Hernandez, Corey Schou
Information Assurance Handbook: Effective Computer Security and Risk Management Strategies
- Cover
- Title
- Copyright Page
- Dedication
- Contents
- Foreword
- Acknowledgments
- Introduction
- Part I Information Assurance Basics
- Chapter 1 Developing an Information Assurance Strategy
- Chapter 2 The Need for Information Assurance
- Chapter 3 Information Assurance Principles
- The MSR Model of Information Assurance
- Information Assurance
- Information Assurance: Business Enabler
- Information Assurance: Protects the Fabric of an Organization’s Systems
- Information Assurance: Cost Effective and Cost Beneficial
- Information Assurance: Shared Responsibilities
- Information Assurance: Robust Approach
- Information Assurance: Reassessed Periodically
- Information Assurance: Restricted by Social Obligations
- Implications from Lack of Information Assurance
- Further Reading
- Critical Thinking Exercises
- Chapter 4 Information Assurance Concepts
- Chapter 5 Organizations Providing Resources for Professionals
- Chapter 6 Information Assurance Management System
- Chapter 7 Current Practices, Regulations, and Plans for Information Assurance Strategy
- Part II Information Assurance Planning Process
- Chapter 8 Approaches to Implementing Information Assurance
- Chapter 9 Organizational Structure for Managing Information Assurance
- Chapter 10 Asset Management
- Chapter 11 Information Assurance Risk Management
- Chapter 12 Information Assurance Policy
- Chapter 13 Human Resource Assurance
- Chapter 14 Advantages of Certification, Accreditation, and Assurance
- Concepts and Definitions
- Purpose of Certification and Accreditation
- Primary Roles for Supporting Certification and Accreditation
- Certification and Accreditation Process
- Certification Baselines
- Considerations for Product Evaluation, Certification, and Accreditation
- Further Reading
- Critical Thinking Exercises
- Part III Risk Mitigation Process
- Chapter 15 Information Assurance in System Development and Acquisition
- Chapter 16 Physical and Environmental Security Controls
- Chapter 17 Information Assurance Awareness, Training, and Education (AT&E)
- Chapter 18 Preventive Information Assurance Tools
- Chapter 19 Access Control
- Part IV Information Assurance Detection and Recovery Processes
- Chapter 20 Information Assurance Monitoring Tools and Methods
- Chapter 21 Information Assurance Measurements and Metrics
- Chapter 22 Incident Handling
- Chapter 23 Computer Forensics
- Chapter 24 Business Continuity Management
- Chapter 25 Backup and Restoration
- Part V Application of Information Assurance to Select Industries
- Chapter 26 Healthcare
- Overview of Information Assurance Approach
- Healthcare-Specific Terminology
- Information Assurance Management
- Information Assurance Risk Management
- Risk Mitigation
- Policy, Procedures, Standards, and Guidance
- Human Resources
- Certification, Accreditation, and Assurance
- Information Assurance in System Development and Acquisition
- Physical and Environmental Security Controls
- Awareness, Training, and Education
- Access Control
- Continuous Monitoring, Incident Response, and Forensics
- Business Continuity and Backups
- Further Reading
- Critical Thinking Exercises
- Chapter 27 Retail
- Overview of the Information Assurance Approach
- Information Assurance Management
- Information Assurance Risk Management
- Risk Mitigation
- Policy, Procedures, Standards, and Guidance
- Human Resources
- Certification, Accreditation, and Assurance
- Information Assurance: System Development and Acquisition
- Physical and Environmental Security Controls
- Awareness, Training, and Education
- Access Control
- Continuous Monitoring, Incident Response, and Forensics
- Business Continuity and Backups
- Further Reading
- Critical Thinking Exercises
- Chapter 28 Industrial Control Systems
- Overview of the Information Assurance Approach
- Industrial Control–Specific Language
- Information Assurance Management
- Information Assurance Risk Management
- Risk Mitigation
- Policy, Procedures, Standards, and Guidance
- Certification, Accreditation, and Assurance
- Human Resources
- Information Assurance in System Development and Acquisition
- Physical and Environmental Security Controls
- Awareness, Training, and Education
- Access Control
- Continuous Monitoring, Incident Response, and Forensics
- Business Continuity and Backups
- Further Reading
- Critical Thinking Exercises
- Chapter 26 Healthcare
- Part VI Appendixes
- A Suggestions for Critical Thinking Exercises
- B Common Threats
- C Common Vulnerabilities
- D Sample Information Assurance Policy for Passwords
- E Sample Risk Analysis Table
- F Select Privacy Laws and Regulations by Country/Economy or State
- G Information System Security Checklist
- H References and Sources of Information
- I List of Acronyms
- Glossary
- Index
APPENDIX B
Common Threats
Threats are any potential danger to information or systems, which can range from viruses, malicious code, and worms to natural disasters such as flood and fire. This appendix will explain common types of threats and the impact on information assurance.
NOTE Components of this list are inspired and adapted from the BSI (Bundesamt für Sicherheit in der Informationstechnik) threat list, derived from Information Security Risk Analysis by Thomas R. Peltier.
Threat: Force Majeure
Force majeure is a French term used in law that you may find in contracts. It means greater (superior) force; it refers to circumstances beyond the control of anyone. A prudent manager will act to reduce the effect of these threats. If not, it may be negligence. In some cultures, these are referred to as acts of God. The following are the different types of threats in this category:
Threat: Deliberate Acts
Frequently, deliberate acts by employees and others affect systems. These threat sources range from malicious software to unanticipated personal behavior changes or misconduct. Vigilance is imperative. The following are the different types of threats in this category:
Threat: Human Failure
Human failure is where human mistakes are inevitable. Frequently, it is symptomatic of poor training. In the MSR model, training is the foundation of addressing this issue. The following are the different types of threats in this category:
Threat: Technical Failure
Frequently, technical failures result from a disconformity or misunderstanding of training or policy. In many cases, technical failures can be predicted by a statistical process control (SPC) or other means. See Chapter 21 for more information. The following are the different types of threats in this category:
-
No Comment