Information systems are vulnerable to many potential hazards and threats, as you can see in Figure. The two major categories of threats are unintentional threats and deliberate threats.
Unintentional threats are acts performed without malicious intent that nevertheless represent a serious threat to information security. A major category of unintentional threats is human error.
Organizational employees span the breadth and depth of the organization, from mail clerks to the CEO, and across all functional areas.
There are two important points to be made about employees.
First, the higher the level of employee, the greater the threat he or she poses to information security. This is true because higher-level employees typically have greater access to corporate data, and they enjoy greater privileges on organizational information systems.
Second, employees in two areas of the organization pose especially significant threats to information security: human resources and information systems. Human resources employees generally have access to sensitive personal information about all employees. Likewise, IS employees not only have access to sensitive organizational data, but they often control the means to create, store, transmit, and modify that data.
Other employees include contract labor, consultants, and janitors and guards. Contract labor, such as temporary hires, may be overlooked in information security arrangements. However, these employees often have access to the company’s network, information systems, and information assets. Consultants, although technically not employees, perform work for the company. Depending on the nature of their work, they may also have access to the company’s network, information systems, and information assets.
Finally, janitors and guards are the most frequently ignored people in information security systems. Companies frequently outsource their security and janitorial services. As with contractors, then, these individuals work for the company although they technically are not employees.
Moreover, they are usually present when most-if not all-other employees have gone home.They typically have keys to every office, and nobody questions their presence in even the most sensitive parts of the building.
In fact, an article from 2600: The Hacker Quarterly described how to get a job as a janitor for the purpose of gaining physical access to an organization. Human errors or mistakes by employees pose a large problem as the result of laziness, carelessness, or a lack of awareness concerning information security. This lack of awareness comes from poor education and training efforts by the organization. Human mistakes manifest themselves in many different ways, as shown in below table.
|Human Mistake||Description and Examples|
|Carelessness with laptops||Losing or misplacing laptops, leaving them in taxis, and so on.|
|Carelessness with computing devices||Losing or misplacing these devices, or using them carelessly so that malware is introduced into an organization’s network.|
|Opening questionable e-mails||Opening e-mails from someone unknown, or clicking on links embedded in e-mails|
|Careless Internet surfing||Accessing questionable Web sites; can result in malware and/or alien software being introduced into the organization’s network.|
|Poor password selection and use||Choosing and using weak passwords.|
|Carelessness with one’s office||Unlocked desks and filing cabinets when employees go home at night; not logging off the company network when gone from the office for any extended period of time.|
|Carelessness using unmanaged devices||Unmanaged devices are those outside the control of an organization’s IT department and company security procedures. These devices include computers belonging to customers and business partners, computers in the business centers of hotels, and computers in Starbucks, Panera Bread, and so on.|
|Carelessness with discarded equipment||Discarding old computer hardware and devices without completely wiping the memory; includes computers, cell phones, BlackBerry® units, and digital copiers and printers.|
|Careless monitoring of environmental hazards||These hazards, which include dirt, dust, humidity, and static electricity, are harmful to the operation of computing equipment.|
Social engineering is an attack in which the perpetrator uses social skills to trick or manipulate legitimate employees into providing confidential company information such as passwords.
The most common example of social engineering occurs when the attacker impersonates someone else on the telephone, such as a company manager or an information systems employee.
The attacker claims he forgot his password and asks the legitimate employee to give him a password to use. Other common ploys include posing as an exterminator, an air-conditioning technician, or a fire marshal. Examples of social engineering abound.
Two other social engineering techniques are tailgating and shoulder surfing. Tailgating is a technique designed to allow the perpetrator to enter restricted areas that are controlled with locks or card entry. The perpetrator follows closely behind a legitimate employee and, when the employee gains entry, the attacker asks him or her to “hold the door.” Shoulder surfing occurs when a perpetrator watches an employee’s computer screen over the employee’s shoulder. This technique is particularly successful in public areas such as in airports and on commuter trains and airplanes.