From the previous article, we’ve realized that the main objective of implementing information security management is to hold confidentiality, integrity and availability of information assets. Now, let’s take a quick look at some examples of computer crime and threats to the information assets that may harm these objectives. There is nothing new about the threats facing organizations. History shows that these threats and crimes date back almost 4,000 years (over 130 generations). Therefore, none of these should be a surprise. We need to take a quick review of the threats and crimes that shall be mitigated with administrative, physical, and technical controls:

Theft The theft of information, designs, plans, and customer lists could be catastrophic to an organization. Consider the controls in place to prevent theft of money or embezzlement. Have equivalent controls in place to prevent the theft of valuable intellectual property.

Fraud Misrepresentation to gain an advantage is the definition of fraud. Electronic records may be subject to remote manipulation for the purpose of deceit, suppression, or unfair profit. Fraud may occur with or without the computer. Variations of fraud include using false pretenses, also known as pretexting, for any purpose of deceit or misrepresentation.

Sabotage Sabotage is defined as willful and malicious destruction of an employer’s property, often during a labor dispute or to cause malicious interference with normal operations.

Blackmail Blackmail is the unlawful demand of money or property under threat to do harm. Examples are to injure property, make an accusation of a crime, or to expose disgraceful defects. This is commonly referred to as extortion.

Industrial Espionage The world is full of competitors and spies. Espionage is a crime of spying by individuals and governments with the intent to gather, transmit, or release information to the advantage of any foreign organization. It’s not uncommon for governments to eavesdrop on the communications of foreign companies. The purpose is to uncover business secrets to share with companies in their country. The intention is to steal any perceived advancements in position or technology. Telecommunications traveling through each country are subject to legal eavesdropping by governments. Additional care must be taken to keep secrets out of the hands of a competitor.

Unauthorized Disclosure Unauthorized disclosure is the release of information without permission. The purpose may be fraud or sabotage. For example, unauthorized disclosure of trade secrets or product defects may cause substantial damage that is irreversible. The unauthorized disclosure of client records would cause a violation of privacy laws, not to mention details that would be valuable for a competitor.

Loss of Credibility Loss of credibility is the damage to an organization’s image, brand, or executive management. This can severely impact revenue and the organization’s ability to continue. Fraud, sabotage, blackmail, and unauthorized disclosure may be used to destroy credibility.

Loss of Proprietary Information The mishandling of information can result in the loss of trade secrets. Valuable information concerning system designs, future marketing plans, and corporate formulas could be released without any method of recovering the data. Once a secret is out, there is no way to make the information secret again.

Legal Repercussions The breach of control or loss of an asset can create a situation of undesirable attention. Privacy concerns have created new requirements for public disclosure following a breach. Without a doubt, the last thing an organization needs is increased interest from a government regulator. Stockholders and customers may have grounds for subsequent legal action in alleging negligence or misconduct, depending on the situation.

According to the U.S. Federal Bureau of Investigation (FBI), the top three losses in 2005–2006 were due to virus attack, unauthorized access, and theft of proprietary information. There is a trend of dramatic increase in unauthorized access and theft of proprietary information.

Taken from:

CISA® Study Guide Second Edition (chapter 7) by David L. Cannon

Related posts:

1. Increasing in Computer Crime/Cybercrime
2. Computer Attacks: Active Attacks (2)
3. Information Security: an Introduction
4. Computer Attacks: Passive Attacks
5. Computer Attacks: Active Attacks (1)