Assets Threats Assets and Threats-What

Assets Threats

Assets and Threats-What is at risk?

Assets and Threats Defined

Origins of Business Threats/Types of Threats

Reconnaissance Threats

Denial of Service

Data Manipulation

Other Threats

Internal Vs. External Threats

Techniques For Preventing Attacks

How Do Natural Threats Pose A Risk

Best Measures to Protect Assets

Assets and Threats-What is at risk?

Studies suggest that threat assessment is increasingly important within the organizational context (Grassie, 2000; Schwartz, 2003). More and more organizations are faced with low probability yet high consequence threats that often result from technological advances enabling internal and external forces to attack information systems (Grassie, 2000). While all threats do not necessarily pose a risk to an organization, organizations must work to at minimum recognize potential threats and take measures to protect themselves from threats.

The purpose of this paper is an examination of typical business threats and risks and identify what steps an organization must take to identify and protect themselves from threats when considering a security risk management program. To accomplish this the researcher will examine (1) what types of business threats exist (2) what steps organizations can take to successfully mitigate risks and (3) what changes are needed in organizational structure or daily activities to prevent future risks.

In examining these issues it is important to differentiate threats from risks. Threats are potential negative forces that may impact an organizations bottom line or productivity; risks are more "probably oriented" and "business oriented" and involve the level of threat that actually exists within an organization (Grassie, 2000). Analysis of the two go hand in hand when examining an organizations risk in the short- and long-term.

Background to the Problem

Studies suggest that the cost of confidential information stolen from businesses including Fortune 1000 companies in recent years has exceeded 100 billion dollars every year (Schwartz, 2003; Sozio & Drab, 2001). Rapid technological advances have enabled ordinary hackers to acquire inexpensive surveillance and data manipulation equipment that has resulted in countless attacks on corporate and private computer systems (Schwartz, 2003; Sozio & Drab, 2001).

Fortunately organizations can adopt multiple strategies to minimize their risk. The primary step an organization must take to protect its assets is risk analysis (Grassie, 2000). Risk analysis enables an organization to determine what internal and external threats may exist within the organizational context. Risk analysis should be conducted comprehensively to include valuing assets within the organization, measuring past threats, measuring relative exposure to current threats and identifying opportunities for future threats to the organization (Grassie, 2000).

Significance of Problem

There are multiple threats that exist in society today capable of incapacitating an organization (Grassie, 2000; Schwartz, 2003). These threats if not identified early on lead to continuing business risk and the potential for catastrophic destruction of an organizations assets, including information systems, organization systems and even people within the organization.

Both internal and external threats are increasing in number as rapid technological advances provide opportunists with more ways to access organizational systems. It is important more than ever that organization work to identify with threats are plausible and develop security programs that will minimize the likelihood that a threat or catastrophe will occur in the near future.

Literature Review

Assets and Threats Defined

Shimonski (2005) defines a threat as "an expression of an intention to inflict pain, injury, evil or punishment" or "an indication of impending danger or harm" (1). An asset is anything an organization considers as "useful or valuable," whether a resource or an advantage (Shimonski, 2005). An asset is something an organization works to protect. Assets within an organization may include the systems used within an organization, the people that work within an organization and the data that systems within an organization contain (Shimonski, 2005). It is not enough for an organization to consider one vs. another; rather an organization must consider all three an essential aspect of business practice.

Origins of Business Threats/Types of Threats

Business threats can occur internally and externally. It is anything that might threaten an organizations computer networks, systems or people (Shimonski, 2005). There are unique threats that go hand in hand with each of the primary assets an organization holds dear. Shimonski (2005) outlines several categories of threat that present within an organization. These include (1) recon or reconnaissance threats, (2) DoS or Denial of Service threats and (3) data manipulation threats (Shimonski, 2005). Each of these threats are unique and deserve careful examination.

Reconnaissance Threats

"recon" attack occurs when an individual attempts to ascertain whether your network or system exists and subsequently tries to map your system possibly for planning future attacks (Shimonski, 2005). Often referred to as a probing, this form of attack involves searching for vulnerabilities within the system, which is usually accomplished via scanning systems in open ports, using ping commands or performing ping sweeps (Shimonski, 2005). Tools used to sweep systems are freely available on the web thus anyone can access them and use them to hack your computer of system (Shimonski, 2005).

Denial of Service

This is a serious attack that is easy to carry out. It is an attack against a system that will prevent the system from carrying out common functions (Shimonski, 2005). Microsoft systems generally offer multiple windows of opportunity for DoS attacks. DoS attacks can target an Internet access router or your PC with Trojans, utilizing a computers CPU and preventing proper functioning (Shimonski, 2005; Grassie, 2000).

Data Manipulation

This is an even larger threat today particularly for organizations that rely on data to perform day-to-day business (Garcia, 2000). Data manipulation can be attacked internally (via a disgruntled employee) or externally (Shimonski, 2005; Grassie, 2000). An attacker can also intercept traffic between two PC's and manipulate or exploit, change and modify records in this way (Shimonski, 2005). Failure to protect this data can result in extreme legal measures, thus it makes more sense to protect data rather than subject oneself to the consequences of a hack attack on data (Grassie, 2000. Organization should work to identify whether design-based threats are real and probably or highly likely as part of business security risk analysis measures (Grassie, 2000).

Other Threats

Every organization has a responsibility to protect data, which includes organizational records. Organizations rely on data to "analyze, reduce and eliminate business risks including new ventures, losses or loss of business (Sampson, 1992). There are multiple steps an organization can take to help protect data within the organization.

Specific types of threats that are technology oriented and may enable data manipulation, recon or denial of service include the following:

Key logger systems or other technologies that allow individuals to gather encrypted computer data and use them at their disposal (Schwartz, 2003).

Carnivore, a communications traffic analyzer type software that can allow someone to scan email messages within streams of information, and uses a filter to capture desired text or email addresses, whether encrypted or not (Schwartz, 2003). This program is actually developed by the FBI who claims access is guarded, but similar programs exist that allow individuals to scan emails and collect desired information.

Password retrieving software that hackers can use to gain access to passwords necessary to break encryption systems (Schwartz, 2005). One example is KLS, which requires a hacker have physical access to the computer, suggesting an internal threat. This program specifically exploits "some of the same weaknesses in popular commercial software that allow hackers to break into computers" (Schwartz, 163).

Text collectors that collect information including online conversations that travel from computer to computer (Schwartz, 2003).

Many systems mentioned above are actually hacking systems developed by government agencies for surveillance operations; the fact that the technology exists in some form or another however suggests tat it is open to exploitation (Schwartz, 2003). Even 'fair use' of such systems may cause excessive anxiety and accusations of espionage or spying (Schwartz, 2003).

Internal Vs. External Threats

Internal threats are not the same as external threats. Each may be equally as damaging. Internal threats come from internal sources, including disgruntled employees that may delete data not backed up or manipulate data they have access to using corporation PC's (Shimonski, 2005). External attacks come from unknown sources that tend to scan edge routers and hence originate outside an internal network (Shimonski, 2005).

Schwartz (2003) identifies internal and external threats to technology infrastructures vulnerable to attack, suggesting that trade secret theft is another security threat that may result in billions of dollars in damage, yet is one that organizations often overlook or are not prepared to manage (p. 163). Preventing such threats may be as simple as utilizing organizational surveillance tools and extending legal prosecution for violators of trade secret agreements (Schwartz, 2003).

Techniques For Preventing Attacks

There are many steps a company can take to help minimize the security risk threats pose. These include:

Conducting an annual risk assessment that allows technical and security analysts and engineers to evaluate a systems security and identify what threats may exist (Shimonski, 2005; Grassie, 2000; Garcia, 2000).

Performing an infrastructure analysis, which allows a company to test its systems to find weaknesses against known intrusion devices (Shimonski, 2005). This is also known as a vulnerability assessment (Shimonski, 2005).

Enlisting senior management support so that security is taking seriously within the organization and so that employee and manager alike understand the value of assets and the seriousness threats that may exist (Shimonski, 2005; Schwartz, 2003).

Establish a security budget so that from year to year an organization has the finances necessary to deal with security threats as they occur but also take measures to prevent security issues (Shimonski, 2005; Garcia, 2000).

Create a task force that can respond successfully and expediently to security emergencies (Shimonski, 2005). Along these lines a security breech plan of action should be developed and all employee informed of the proper steps to take if a security breech occurs.

Establish a recovery plan that will help protect assets. This should include establishing back up so a company has somewhere to go and can restore systems should an attack occur within an organizational structure (Shimonski, 2005; Sampson, 1992).

Sampson (1992) suggests the following steps for protecting data and organizational assets: (1) analyzing potential business risks, (2) protecting revenues from current or future losses, (3) reducing or removing an organizations exposure to risk and (4) filing claims or prosecuting any criminal actions that do occur within the workplace (p. 17).

Sampson (1992) suggest that organizations protect themselves from the following threats: (1) Catastrophes (external), (2) electrical power problems (external) and (3) computer crimes and viruses (internal and external threats) (p. 21).

Organizations must also work to decide whether potential threats are low probability or high probability within the organization (Grassie, 2000). This will enhance the organizations ability to manage threats. High consequence and high probability threats are the most important to manage as assets are most at risk from these threats (Grassie, 2000). On the same notes security managers shouldn't necessarily disregards high consequence but low probability threats unless the threat source is truly unlikely to affect an organization (Grassie, 2000).

Garcia (2000) suggests that organization must first (1) identify assets, including physical and intangible assets within the organization, (2) then decide what assets require what levels of protection based on the asset value, (3) next decide what the probability of an attack is, (4) identify what the consequence of a loss may be, (5) identify high consequence events and then (6) develop a risk management program that takes into consideration all of these factors (Garcia, 44). One way organizations can effectively manage threats is by creating a matrix to enable security teams to graphically review all assets and threats and determine how resources are best allocated (Garcia, 2000).

How Do Natural Threats Pose A Risk

Natural disasters pose just as much risk to organizations as man created threats (Sampson, 1992). Flood, fire, hurricanes and other natural disasters can result in serious damage to an organizations computer system, database and paper records (Sampson, 1992). Whereas an organization can take steps to prevent an external hacker from accessing their computer system, it is much more difficult to predict natural threats within an organization context.

Natural disasters can also have a domino effect enabling opportunists or hackers to penetrate a system. For example, fiber optic cables lost in a storm or power outages can allow computer viruses to attack (Sampson, 1992). To help mitigate such natural disasters it is vital that organizations prepare disaster mitigation or relief plans to address the heavy losses that may occur in the event catastrophe occurs (Sampson, 1992). Most government agencies and financial institutions already require an emergency disaster plan be in place in the event a natural disaster occurs (Sampson, 1992). The focus of the plan should be ensuring that an organization can continue to operate despite a catastrophic event; protection may include adequate insurance coverage and obtaining back up records (Sampson, 1992).

Other threats an organization must consider include catastrophic threats that may result from terrorist attacks (Grassie, 2000). While this is more often a concern among government agencies and financial institutions, all businesses should be aware of the potential for terrorist threats, which can "dramatically change the outcome of risk analysis" (Grassie, 2000).

Best Measures to Protect Assets

Schwartz (2003) suggests that an organizations information assets are the most important to protect because an organizations bottom line success is "linked to these information assets" (163). Further he suggests that any given technology is supported or "described by" information assets and this reliance on information assets in itself may pose security threats (Schwartz, 163).

Technology breakthroughs are occurring daily that often undermine previous measures to protect information assets, thus it is not enough for an organization to adopt the latest technology (Schwartz, 2003). Rather, an organization must work toward continuous improvements, which will result in ever evolving measures to ensure organizational security over time.

To protect human assets within the organization a corporation must also engage in cultural security measures. Culture is an important determinant of "whether and how remote risks are considered in actual protection applications" (Grassie, 136). Every company has a unique culture that determines what actions are acceptable and what are not; an organization that embraces an open environment that is knowledgeable of security measures and tolerates only "limited security restrictions" is prone to different threats than an organization that embraces only tight security measures (Grassie, 136). In an open environment organizations are less likely to devote resources to protect itself from low probability but high-risk threats (Grassie, 2000). An organizations past risk history may also determine what procedures are put into place to mitigate risk. A workplace that exhibits more "antisocial behaviors" is more likely to be at risk than an organization that is more cohesive (Grassie, 2000).

Garcia (2000) suggests that organizations take into consideration what assets require protection; these may include physical assets such as communications equipment, computer networks, information assets, human resource databases, proprietary formulas and even "strategic planning information" (44). Personnel and visitors are also assets however requiring protection in the organizational context (Garcia, 2000).

Methods

The intent of the research in this study is to examine what (1) what types of business threats exist (2) what steps organizations can take to successfully mitigate risks and (3) what changes are needed in organizational structure or daily activities to prevent future threats from posing serious risk or consequence. To accomplish this feat the researcher engaged in qualitative methods that help explain how people "define their needs" and why or how they "seek assistance" given a particularly phenomena (Darlington & Scott, 2002).

Particularly the researcher was interested in surveying the current literature that exists with respect to assets and threat management to determine what organizations are doing correctly to help mitigate risk. Methods employed for this study include data collection, observation and documentation analysis of multiple studies conducted previously analyzing security risk management within organizations (Darlington & Scott, 2002). From the data colleted the researcher then disseminated findings by carefully comparing and synthesizing the information gathered from the literature review.