• Skip to main content
  • Skip to primary sidebar
  • Skip to secondary sidebar
  • Skip to footer

Computer Notes

Library
    • Computer Fundamental
    • Computer Memory
    • DBMS Tutorial
    • Operating System
    • Computer Networking
    • C Programming
    • C++ Programming
    • Java Programming
    • C# Programming
    • SQL Tutorial
    • Management Tutorial
    • Computer Graphics
    • Compiler Design
    • Style Sheet
    • JavaScript Tutorial
    • Html Tutorial
    • Wordpress Tutorial
    • Python Tutorial
    • PHP Tutorial
    • JSP Tutorial
    • AngularJS Tutorial
    • Data Structures
    • E Commerce Tutorial
    • Visual Basic
    • Structs2 Tutorial
    • Digital Electronics
    • Internet Terms
    • Servlet Tutorial
    • Software Engineering
    • Interviews Questions
    • Basic Terms
    • Troubleshooting
Menu

Header Right

Home » Management » System Concepts » Threat and Vulnerability Management (TVM)
Next →
← Prev

Threat and Vulnerability Management (TVM)

By Dinesh Thakur

we are going to discuss about the threats and vulnerabilities of information systems from both insiders and outsiders and the ways of managing such threats and vulnerabilities.

We’ll be covering the following topics in this tutorial:

  • Information Security Attacks from Insiders
  • Types of Information Security Attacks from Outsiders
  • Some Top Hacking Incidents of All Time

Information Security Attacks from Insiders

It is now an acknowledged fact within the information security community that insiders(people with access to information systems of organizations) within the organization represents one of the biggest2 (estimates vary from half- to three-fourths of all security incidents) information security threats (Dillon 1999, Whitman 2003). Considering that a large number of such incidents go undetected (Hoffer and Straub 1989) it is most likely that these numbers are actually much higher. Specialists therefore prescribe a cocktail of measures to prevent security incidents. These measures fall under two broad categories:

  1. Procedural or business control measures-those that define access and other security policies, usage guidelines, security education, training and awareness (SETA) programs.
  2. Technical measures-includes authentication measures, monitoring techniques, tools and filtering mechanisms.

Types of Information Security Attacks from Outsiders

Information security attacks can be of various types. Modern attacks and techniques are difficult to detect and stop as it requires continuous monitoring of the system. Perimeter security is therefore of vital importance as the objective of a security system is to halt an attacker from gaining access into the system. The following are the major forms of attack:

Hacking

It is the activity of getting into a computer system without authorization to have an access for a look around and see what is possible to do in the system. Hackers are mainly of three different types.

  1. Ethical hackers: Ethical hacking and hacking etiquette demands that the hacker after having penetrated the system notifies the system administrator of his entry to let him know about the vulnerability of the system. This kind of hacking actually helps the organization to improve its security apparatus.
  2. Crackers: These are malicious hackers. Once they get inside a system, they destroy valuable assets. Their objective is to cause as much damage to the system as possible. These attacks are to be feared as they have the potential to cause large-scale damage to the organization’s information assets.
  3. Phreaks: These are people who hack into the phone systems of organizations so that they can then make calls at the expense of the organization. Each hacking incident however, may be different from the other as each hacker in each incident tries a different trick to exploit a different vulnerability of a system. Since nowadays most systems are connected to the Internet, most hacking incidents occur from net-based hackers who gain access into the organizations computer systems and then cause damage to the system. Most hacking incidents follow a typical pattern or method, which are:

Reconnaissance-The hacker before embarking on a full-scale attack tries to find out the counter measures that are protecting a system. He tests the waters before jumping into the action. In this stage, he typically tries to gather information about the system (and/or network), its vulnerabilities, critical information stored in the system, key employee information, public information about the system and the organization, information about customers of the organization. This is passive reconnaissance. After this stage, the hacker moves on to active reconnaissance in which he acquires DNS information, IP addresses, performs ping sweeps, SNMP network scans and other attacks like banner grabbing, etc.

Vulnerability canning-After the reconnaissance stage, the hacker moves to the scanning stage in which he looks for vulnerabilities in the perimeter security of the system. He also scans the routers and firewalls of the organization to check for vulnerabilities.

Securing/getting access-After the scanning stage, he moves to the stage of gaining access, here he accesses the organization’s system after capitalizing on any vulnerability in the organization’s security system. This can happen through the operating system of the organization’s server or networked computer, an application (either planted within the system or suitable file corrupted/modified by the hacker to work on his commands), or through any network devices in the organization’s network.

Maintaining access-After getting access to the organization’s system, the hacker would normally like to continue to maintain access. This he manages by planting a custom-built application on the already compromised server of the organization. This strategy helps the hacker to enter and exit the system at will. Thus, the hacker can have complete control over the organization’s system. He can upload applications, modify applications, modify data without anyone’s knowledge, steal data and cause widespread damage to the system. At this stage, the hacker evaluates the information assets of the organization and based on his intentions goes ahead with a plan to profit from his efforts. He can wish to just maintain access without causing any damage, steal information and sell it outside, profit from altering the data of the organization or simply blackmail the organization•

Covering tracks-Once the hacker has enabled his access into the organization’s system, he would like to remove any trace of his entry and exit from the system. This he manages by suitably deleting the evidence of his access from the audit files and log files. Thus, the system administrators remain oblivious to the access of the hacker.

Denial of service (DoS)

This is another form-security attack in which the attacker overwhelms the organization’s server (or other hardware resources) or the telecommunication lines from the ISP. Normally, DoS attacks are one-to-one meaning that the attackers launches an attack from his machine and attacks one organization with the objective of overwhelming its resources (hardware or telecom) thereby denying the system’s services to legitimate users. Since February 2000 the trend for such attacks has changed. Now attackers use a many-to-one mode of attack for DoS. This is known as distributed denial of service (DDoS). The attacker creates zombies (these are compromised machines on the Internet that run application codes which are controlled by the attacker). At his instructions DoS attacks are launched simultaneously on a single target from all the zombies (sometimes as many as tens of thousands). The only way to control DDoS attacks is to control the number of zombies on the network. It is one of the most difficult forms of attack against which an organization is to be secured.

Malicious code

“This is another form of security threat, being pieces of code that reach vital areas of a system and renders great damage to it. The easiest form of distributing malicious codes is through e-mails. It is therefore a good idea to check the attachment files in e-mails before opening them. There are many different types of malicious code:

  1. Virus: This is the most common type of malicious code. Viruses are also of various types. File viruses are viruses that infect files of a system and then keep on multiplying themselves whenever a user opens a file or access a file and therefore spread to all parts of a system and damage all files in a system. Such file viruses are the most common form of virus applications. Most file viruses are executable files. Other types of viruses attack the master boot record of the operating system thereby rendering the as useless. Some viruses are application specific like macro viruses that affect office applications.
  2. Worm: A form of malicious code that affects networks. They have the capability to replicate themselves over a network and spreads very quickly from one machine to another in a network. Several highly publicized attacks have been reported.
  3. Trojan: It is a stealth version of a malicious code. It seems like a good and trustworthy code on the surface but is actually a malicious code in reality? The easiest way to stop Trojans is to stop opening untrustworthy attachments and stop downloading and running freeware.
  4. Logic bomb: This type of malicious code waits in a system for a trigger, like a particular date and time, to unleash damage. The code waits patiently and does not act malevolently until a particular data and time and after that due date and time, it would work in a malevolent manner by damaging the system and data.

Social engineering

This is another way of attacking a system. Social engineering is a set of techniques used to trick gullible users into parting with their critical information like username and password. The social engineering attacker uses the following human attributes to get access to critical data:

  1. Most people trust others unless they are found untrustworthy. The attacker exploits this trait of human nature. For example, simple calls made ostensibly on behalf of a trustworthy organization like a bank would make us divulge a lot of critical information about our bank accounts.
  2. The fear of getting into trouble is also another human trait that the attacker exploits. For example, a simple mail requesting you to give your password for better maintenance of your bank account may actually cause fear in your mind that if you do not divulge your password, maintenance will not be proper and hence some indeed do give away their password.
  3. Preference for short cuts is another human trait that attackers exploit. Most people give passwords as nicknames or birth dates or name of their pets which can be easily cracked.

Thus, we can see that a skilled social engineer may be able to get critical data that will enable him to access the system without much trouble. Thus, this type of attack is a very serious threat that all must be careful about.

Some Top Hacking Incidents of All Time

1990s

Kevin Mitnick, a well known hacker, hacked into computer networks and systems of top telecom companies like Nokia, Fujitsu, Motorola, and Sun Microsystems. The incident caused a huge stir in the security establishment and Mitnick was arrested by the FBI in 1995, but later released on parole in 2000.

1995

A Russian hacker Vladimir Levin was the first hacker to hack into a bank to rob money. In early 1995, he hacked into a top US bank which had a very secure VAX VMS based system and robbed an estimated $10 million USD. He was later arrested.

1990

In 1990 a radio station in Los Angeles started a contest that awarded a Porsche for the 102nd caller. Kevin Paulson, a hacker took control of the entire city’s telephone network, and ensured that he is the 102nd caller, so that he get the prize. He was later arrested.

1996

Timothy Lloyd wrote a small piece of malicious software code that allowed a “logic bomb” to explode which deleted software worth $10 million USD.

 

1988

Robert Morris a Cornell University graduate launched a worm on the Internet that infected machines world wide and crashed thousands of machines.

1999

David Smith wrote and launched one of the most dreaded virus, Melissa that damaged machines worldwide.

2000

 

Mafia Boy hacked into the most popular sites on the Internet world, like eBay, Amazon and Yahoo and managed to engineer a Denial of Service attack.




You’ll also like:

  1. What Is Management? Levels of Management
  2. The Need for Information Management
  3. Different Types of Control Systems in Management
  4. Levels of Management and Their Information Requirements
  5. Total Quality Management (TQM)
Next →
← Prev
Like/Subscribe us for latest updates     

About Dinesh Thakur
Dinesh ThakurDinesh Thakur holds an B.C.A, MCDBA, MCSD certifications. Dinesh authors the hugely popular Computer Notes blog. Where he writes how-to guides around Computer fundamental , computer software, Computer programming, and web apps.

Dinesh Thakur is a Freelance Writer who helps different clients from all over the globe. Dinesh has written over 500+ blogs, 30+ eBooks, and 10000+ Posts for all types of clients.


For any type of query or something that you think is missing, please feel free to Contact us.


Primary Sidebar

MIS Tutorials

MIS Tutorials

  • MIS - Home
  • MIS - Classification
  • MIS - Characteristics
  • MIS - Implementation
  • MIS - Benefits
  • MIS - System Types
  • MIS - Simon’s Model
  • MIS - Different Systems
  • MIS - Open Vs Closed Systems
  • MIS - Different Functional IS
  • MIS - System Maintenance
  • MIS - MIS Functions
  • MIS - Information
  • MIS - Systems Approach
  • MIS - DSS
  • MIS - Information System Types
  • MIS - Deterministic Vs Probabilistic
  • MIS - System Analyst Role
  • MIS - MIS Planning
  • MIS - QoI
  • MIS - Types of System
  • MIS - Role of Information
  • MIS - Quality of Information
  • MIS - Home
  • MIS - Traditional Vs Modern Marketing
  • MIS - Development Approaches
  • MIS - Organizational Need
  • MIS - Nolan's Six-stage Model
  • MIS - Decisions Types
  • MIS - Selecting Hardware
  • MIS - Management Levels
  • MIS - Information Dimensions
  • MIS - System Design
  • MIS - Systems Types
  • MIS - Information Value
  • MIS - Business Strategy
  • MIS - Management Reports
  • MIS - Anthony's Framework
  • MIS - System Characteristics
  • MIS - Information Systems
  • MIS - Types of IS
  • MIS - Structure
  • MIS - Problems in Implementing
  • MIS - Limitations
  • MIS - Planning
  • MIS - Stages of Development
  • MIS - Conceptual Design
  • MIS - Four Stage Model
  • MIS - Prerequisites
  • MIS - System Investigation Stages
  • MIS - DSS Classification
  • MIS - Subsystems
  • MIS - Business Expert Systems
  • MIS - Nolan Stage Model
  • MIS - Control Systems Types
  • MIS - SQA Benefit
  • MIS - Development Factors
  • MIS - Systems Approach
  • MIS - Decision Support System
  • MIS - Efficiency and Effectiveness

Other Links

  • MIS - PDF Version

Footer

Basic Course

  • Computer Fundamental
  • Computer Networking
  • Operating System
  • Database System
  • Computer Graphics
  • Management System
  • Software Engineering
  • Digital Electronics
  • Electronic Commerce
  • Compiler Design
  • Troubleshooting

Programming

  • Java Programming
  • Structured Query (SQL)
  • C Programming
  • C++ Programming
  • Visual Basic
  • Data Structures
  • Struts 2
  • Java Servlet
  • C# Programming
  • Basic Terms
  • Interviews

World Wide Web

  • Internet
  • Java Script
  • HTML Language
  • Cascading Style Sheet
  • Java Server Pages
  • Wordpress
  • PHP
  • Python Tutorial
  • AngularJS
  • Troubleshooting

 About Us |  Contact Us |  FAQ

Dinesh Thakur is a Technology Columinist and founder of Computer Notes.

Copyright © 2023. All Rights Reserved.