CISSP For Dummies
Plenty of threats, if carried out, could cause damage to the organization. We discuss some of these threats here.
Errors and Omissions
Errors and Omissions (E&O) is an insurance term that describes strategic and tactical errors that an organization can face, whether by commission (performing an action) or omission (failure to perform an action). In addition to general liability coverage, insurance companies also sell Errors and Omissions insurance. Errors and Omissions liability is also known as professional liability.
An example of Errors and Omissions is an error that prevents a company from delivering goods or services on a contract.
Some Errors and Omissions can be prevented through product reviews and quality control processes. For examples, an accounting firm can implement systems that help to prevent calculation errors, and a medical transcription organization may implement access control systems to prevent the accidental disclosure of information.
Fraud
Fraud is defined as any deceptive or misrepresented activity that results in illicit personal gain. Some examples of fraud include
-
Writing bad checks
-
Lying about personal information in order to receive a product or service for which the person is not entitled
Fraud is best countered with controls and processes to ensure that people aren’t misrepresenting themselves or the information that they assert. Generally, the controls used are those that attempt to confirm information.
Theft
Theft is the taking of property from its owner without the owner’s consent. A wide variety of controls can deter and prevent theft, including locks, alarm systems, cameras, audit trails (in the case of information theft), and identifying marks on equipment.
Unlike the theft of physical assets like computers, data theft is much more difficult to detect. When someone steals data, it is still there; an unauthorized copy of the data has been made and moved to a location known to the thief.
Employee sabotage
Sabotage is the deliberate destruction of property, which could include physical or information assets. This is best deterred and detected with highly visible audit trails and prevented with strict access controls.
Industrial espionage
Industrial espionage is the act of obtaining proprietary or confidential information in order to pass it to a competitor. Espionage is difficult to prevent, but you can deter such activity with visible audit trails and access controls.
Loss of physical and infrastructure support
Loss of physical and infrastructure support is a broad category that represents the kinds of actions that result in a data processing operation losing its physical facilities and/or supporting infrastructure. This includes, but isn’t limited to, interruptions in public utilities or events that result in the closure or evacuation of a building. We discuss this topic in depth in Chapter 11.
Hackers and crackers
Hackers are computer enthusiasts who enjoy discovering the intricacies of computers and programming languages and can often be considered experts. The term hacker has been associated more with individuals who break into computer systems and networks in order to cause disruption or steal information. Hackers insist that those malicious individuals are known as crackers. Whatever. The point is, we need to prevent them from accessing our systems and data.
Malicious code
Malicious code includes viruses, worms, and Trojan horses.
Inappropriate employee activities
Company workers are capable of all sorts of inappropriate things, such as
-
Fraud: Workers with detailed knowledge of business processes and/or insider access to information are in a particularly good position to defraud their employers.
-
Collusion: Collusion is the cooperation between two or more persons for some illegal or deceitful purpose.
-
Pornography: ’Nuf said.
-
Sexual Harassment: Ditto.
-
Wastefulness: This topic covers everything from computer resources to office supplies, time, and money.
-
Theft: Theft can include equipment as well as information.
-
Abuse: Abuse is a catchall term that covers the misuse of company resources for personal gain.
-
Espionage: Yes, every employee has a price, and some will stoop to the level of selling information to other organizations.
Criminologists generally describe the criminal as having means, motive, and opportunity to commit a crime. Generally speaking, workers have more means and opportunities to commit damaging acts than do outsiders. They’re already entrusted with read-only or read-write access to information and equipment. They only need a good opportunity (and they only need to lack a conscience).
Hackers on the outside, on the other hand, may have the motivation to damage a company’s information assets, but they may lack the means and the opportunity because security measures prevent them from getting to the goods.
Категории