1

Threats
Category of Threats
2
 Missing, inadequate, or incomplete organizational policy or planning makes an
organization vulnerable to loss, damage, or disclosure of information assets.

The organization’s executive leadership is responsible for strategic planning for security
as well as for IT and business functions—a task known as governance.

3
 This category of threat involves the deliberate sabotage of a computer system or
business, or acts of vandalism to either destroy an asset or damage the image of an organization.
These acts can range from petty vandalism by employees to organized sabotage against an
organization.

Vandalism to a Web site can erode consumer confidence, thus diminishing an

organization’s sales and net worK, as well as its reputation.

For example, in July 13, 2001, a group known as Fluffi Bunni left its mark on the front page of the
SysAdmin, Audit, Network, Security (SANS) Institute, a cooperative research and education
organization. This event was particularly embarrassing to SANS Institute management, since the
Institute provides security certification programs. The defacement read, “Would you really trust
these guys to teach you security.

4
 Compared to Web site defacement, vandalism within a network is more malicious in
intent and less public. Today, another form of online vandalism is prevailing-- hacktivist or cyber
activist operations, which interfere with or disrupt systems to protest the operations, policies, or
actions of an organization or government agency.

In November 2009, a group calling itself “anti-fascist hackers” defaced the Web site of David
Irving, English author and holocaust denier who wrote on the military and political history of World War II
with a focus on Nazi Germany. They also released his private e-mail correspondence, secret locations of his
events, and detailed information about people attending those events. This information was posted on the
Web site WikiLeaks, an organization that publishes sensitive leaked news provided by anonymous sources.

Irving's reputation as a historian was discredited in 1996 due to an unsuccessful false case he
filed against the American historian Deborah Lipstadt and Penguin Books, he was proven to have
deliberately misrepresented historical evidence to promote Holocaust denial and whitewash the Nazis.
The English court found that Irving was an active Holocaust denier and racist, who "for his own ideological
reasons persistently and deliberately misrepresented and manipulated historical evidence". In addition, the
court found that Irving's books had distorted the history of Hitler's role in the Holocaust to depict Hitler in a
favourable light.

5
 A much more sinister form of hacking is cyberterrorism. Cyberterrorists hack systems
to conduct terrorist activities via network or Internet pathways. Cyberterrorism is the
premeditated, politically motivated attacks against information, computer systems, computer
programs, and data which result in violence against non combatant targets by subnational groups
or clandestine agents.

Cyberterrorism has thus far been largely limited to acts such as the defacement of NATO Web pages during
the war in Kosovo.

6
 The threat of theft—the illegal taking of another’s property, which can be either
physical or electronic or intellectual. The value of information is diminished when it is copied
without the owner’s knowledge.

Physical theft can be controlled quite easily by means of a wide variety of measures,
from locked doors to trained security personnel and the installation of alarm systems. When
someone steals a physical object, the loss is easily detected; if it has any importance at all, its
absence is noted.

Electronic theft, however, is a more complex problem to manage and control. When
electronic information is stolen, the crime is not always readily apparent. If thieves are clever and
cover their tracks carefully, no one may ever know of the crime until it is far too late.

7
 Technical hardware failures or errors occur when a manufacturer distributes equipment
containing a known or unknown flaw.

These defects can cause the system to perform outside of expected parameters,
resulting in unreliable service or lack of availability. Some errors are terminal—that is, they result in
the unrecoverable loss of the equipment. Some errors are intermittent, in that they only
periodically manifest themselves, resulting in faults that are not easily repeated, and thus,
equipment can sometimes stop working, or work in unexpected ways.

One of the best-known hardware failures is that of the Intel Pentium II chip, which had a
defect that resulted in a calculation error under certain circumstances. Intel initially expressed
little concern for the defect. Yet within days, popular computing journals were publishing a simple
calculation (the division of 4195835 by 3145727) that determined whether an individual’s machine
contained the defective chip and thus the floating-point operation bug.

8
This Pentium floating-point division bug (FDIV) led to a public relations disaster for Intel that
resulted in its first-ever chip recall and a loss of over $475 million.

A few months later, disclosure of another bug, known as the Dan-0411 flag further eroded the chip
manufacturer’s public image This bug occurs with operations that convert floating point numbers
into integers.

In 1998, when Intel released its Xeon chip, it also had hardware errors. Intel said, “All new chips
have bugs, and the process of debugging and improving performance inevitably continues even
after a product is in the market.”