COMPUTER SYSTEM VULNERABILITY: THREATS

Computer systems are vulnerable to many threats that can inflict various types of damage
resulting in significant losses. This damage can range from errors harming database integrity to
fires destroying entire computer centers. Losses can stem, for example, from the actions of
supposedly trusted employees defrauding a system, from outside hackers, or from careless data
entry clerks. Precision in estimating computer security-related losses is not possible because
many losses are never discovered, and others are "swept under the carpet" to avoid unfavorable
publicity. The effects of various threats varies considerably: some affect the confidentiality or
integrity of data while others affect the availability of a system.
In today's world nearly in every if not all organization have gone digital, meaning embraced
technology hence calling the itself dot com. This has its merits and also demerits faced by those
who use the same. Computer as it is known to be an electronic device for storing and processing
data, typically in binary form, according to instructions given to it in a variable program. While
now those instructions that are given to the computer and from which a computer performs the
task at hand it is the system. Computer system can be said to be those set of procedures or
instruction through which a computer being an electronic device follows either to store or
process the data commanded to perform. In their daily duties the computer systems are exposed
to dangers either cause intentional or unintentionally. The exposure to dangers is now know as
vulnerability. Vulnerability can be said to be the absence of security controls that could lead to a
security breach when exploited by threats that increase the likelihood of risk to the computer
system. Threats on the other hand are entities that exploit vulnerabilities in the computer system,
thereby increasing the likelihood of risk to harm or cause harm to them.
Vulnerability Identification and Assessment Vulnerability assessment is a review of the security
posture of operational systems for the purpose of identifying potential vulnerabilities in assets.
And when vulnerabilities are identified, appropriate mitigation controls are implemented to
protect valued assets. Since vulnerability assessments are not exclusively conducted to identify
potential vulnerabilities, but also to investigate missing countermeasures. It is therefore
imperative that periodic vulnerability assessments are carried out to protect critical assets. The
benefits of security vulnerability assessments include:

 To identify a system (information, systems and network infrastructures, data, programs

and applications).
To classify computer systems identified according to their importance to the organisation,
such as critical or non-critical. This classification depends on the deployed
methodology.
To identify critical computer based systems to an organisation, for example, information,
such as (marketing database, classified military information) and to identify which
infrastructure (systems or networks) processes, stores, or transmits organisations critical
information.
To determine the security posture of the systems in order to identify potential
vulnerabilities in them.
To determine associated security risks on systems (information, infrastructure, software
and content) as follows: end-user devices (PCs and PDAs), user-support devices and the
actual content or otherwise.
To determine security requirements and coordinate the right mix of countermeasures.
To access missing controls, protection measures or requirements not implemented
correctly, or not implemented at all, which should have been, for the purpose of
protecting

critical

assets.

And

finally,

to

recommend

protection

controls

(countermeasures) to prevent or mitigate identified vulnerabilities.

THREATS, ATTACK TIMELINE AND CLASSIFICATION

Security threats and attack timeline to examine how threats exploit vulnerabilities in computer
system, a requirement is to investigate taxonomy of threats. Threats have been classified based
on vulnerabilities, as in Brinkley and Schell. Their classification focuses on identifying potential
vulnerabilities an attacker exploits to harm an asset in order to provide appropriate
countermeasures. It has been argued that to provide efficient and timely countermeasures a
classification of threats based on attack timeline is essential. The purpose of classifying threats
based on propagation timeline is to examine when in a threat propagation will the threat cause
most significant harm (or damage) to computer system, and what countermeasures are possible at
each specific stage to efficiently and timely mitigate the threat. Thus, classification of threats
based on attack timeline is recognized. The developed threat classification is a three-stage threat

classification model based on attack timeline, namely: Probing, Penetration and Perpetuation
stages as shown below.

Attack Time
Initial Stage

PROBING STAGE

Second Phase

Last Phase

PENETRATION STAGE

PERPETUATION STAGE

The three stages of threats attack timeline are explained, as follows:

a) Probing Stage: the earliest stage in a threat attack timeline also referred to as the
reconnaissance stage. At this stage vulnerable networks and systems are discovered through such
process as probing. For example, an attacker may use port scan to discover and characterize
network and systems that are online and/or to find services, processes or applications running on
certain systems. Again, social engineering deception techniques can be engaged to gather
information about a person or a system as part of the probing stage.
b) Penetration Stage: the second stage in an attack timeline. This occurs when an attacker (or
threat agent) tries to circumvent security controls to create opportunities to cause harm or harm
the system. Two sub-categories are recognized:

Unauthorized access: when a threat intentionally (deliberately and maliciously) tries to

bypass access control mechanism in order to harm or predispose a system to harm. For
example, brute force attacks and dictionary attacks.

Denial of Service: when a threat that does not require authorised access invades a system
in order to deliberately and maliciously harm or cause harm to a system, for example,
networks intrusions, computer worms, denial of service attacks (DoS) and distributed
denial of service attacks (DDoS) - characterised by the attempt to exhaustively consume
resources required to deliver services to legitimate users.

c) Perpetuation Stage: the last stage in an attack timeline. This occurs when threats have
successfully penetrated networks or/and systems unlawfully for malicious intent. Four subcategories are recognized:
i.

Disclosure of information and data: when the intent is for information or data or system
disclosure, consequentially breaching the confidential of the system

ii.

Manipulation of data: when the intent is to alter information or data or system leading to
abuse of the integrity of information or data or system.

iii.

Destruction of information or data or system: when the intent is to destroy assets leading
to abuse of integrity and availability.

iv.

Cleaning-up: when the attacker removes traces of attack to prevent legitimate detection or
forensic evidence in order to avoid criminal prosecution.

At each stage of the attack timeline different countermeasures are required. For example, at the
probing stage, host and network-based intrusion detection systems are required to detect port
scans. It is shown that this stage is very important towards a successful attack, as it is a
precursor. According to the United States Armys Field Manual 100-5 [17], the success of an
attack has a high correlation with the thoroughness of the reconnaissance [18]. At the penetration
stage, strong access control mechanisms are required together with denial of service mitigation
tools. For example, authentication, authorisation and accounting mechanisms, firewall systems,
and DoS mitigation toolkits are all required. At the perpetuation stage, efficient forensic tools are
required together with efficient network monitoring systems. It is evident that at each stage of
the timeline different mitigation controls are required. Therefore, a classification that investigates
security threats in terms of attack timeline pertinently provides efficient and timely
countermeasures to threat than taxonomies that investigate vulnerabilities without good
understanding of threat propagation dynamics

THREATS CLASSIFICATION
Threats to computer networks comprise of the following:
i.

Network errors

ii.

Deliberate software threats

iii.

Natural disaster (wildfire, flooding, earthquakes, and tidal waves - tsunami)

iv.

Cyber-threats (terrorism, political warfare)

v.

Insider threats caused by disgruntled employees.

To classify threats to computer networks, two fundamental threat categories are identified:
(a) natural phenomena threats
(b) human-made threats
Human Made Faults
Category

Intentional

Motive
Intent

Non-malicious
Non-Deliberate

Capability Acc.

Incomp.

Malicious

Deliberate
Acc.

Key: Acc. - Accidental,

Unintentional

Deliberate
Incomp.

N/A

Non-malicious
Non-deliberate
Acc.

Incomp.

Deliberate
Acc.

Incomp.

Incomp. - Incompetence, N/A - Not Applicable

These threats cause failures in computer networks. Natural phenomena threats are physical
disasters that occur naturally without any human action, such as:
(i) Tropical wildfire, that occur in some African deserts, and seldom in Europe
(ii) Flooding
(iii) Earthquakes
(iv) Tidal Waves (for example, Tsunami)
Human-made threats: are threats through human actions that cause faults in systems, such as:
(a) Developmental faults
(b) Physical faults
(c) Interaction faults.
According to Avizienis et al. [20], faults are classified in two major categories, namely
unintentional and intentional for details are explained in the figure above.

a) Developmental Faults include fault types that occur during development, such as
software bugs, hardware errata, design faults (wrong design of equipment, error in
dimension) and system caveats. These types of faults remain undetected during normal
program or hardware development, but may manifest themselves during system
operation, and often times during operational unexplainable circumstances.
b) Physical faults include fault types that affect hardware, such as physical damage to
hardware systems or hardware content. For example, system failures due to excessive
temperatures, environmental conditions (flooding, fire, earthquakes, and tsunami)
affecting equipment performance or operation.
c) Interaction Faults include faults that occur due to external interaction on the system. For
example, mistakes by systems operators, maintenance personnel and others with access to
system that lead to incorrect operation, accidental system shutdown, or accidental
physical damage, such as accidental disconnection of an equipment, or accidental cable
cut.
The above is classification of human-action faults. This classification is used to evaluate and
determine category, motive and intent of threats. For example,
I. Network errors (such as faulty systems design) are caused by unintentional, non-deliberate,
non- malicious, accidental human actions.
II. Deliberate software threats (such as viruses, computer worms), are caused by intentional,
malicious, deliberate human-action.
III. Cyber-threats (such as, terrorist attack) and insiders threats (such as, disgruntled employee)
are caused by intentional, malicious, deliberate human actions.
Common threats include:
1. Errors and omission
2. Fraud and theft
3. Employees sabotage
4. Loss of physical and infrastructure support
5. Malicious hackers

6. Industrial Espionage
7. Malicious Code
8. Foreign government espionage
9. Threats to personal privacy

1. Errors and Omissions

These are an important threat to data and systems integrity since they are not only caused by data
entry clerks processing many transactions; but with also types of users who create and edit data.
This is because most progress lack quality control measures especially those designed by users of
personal computers.
Errors can occur during all phases of the systems life cycle enabling it to create vulnerabilities.
This is because errors can crush a system. A survey by Robert Courtney stated that 65% of losses
is through errors and omissions.

2. Fraud and Theft

Fraud and theft can be committed by insiders (.i.e. authorized users of a system) who are
responsible for the majority of fraud. This is because insiders have both access to and familiarity
with the victim computer system (including what resources it control and its inflow). Former
organization employees with their knowledge can pose a threat.

3. Employee Sabotage
Employees are must familiar with their employer's computers and applications, including
knowing what actions might cause the most sabotage can range from altruism to revenge.
Common examples of computer related employees sabotage include:

Destroying hardware or facilities

Planting logic bombs that destroy programs or data

Entering data incorrectly

'crashing' systems

Deleting Data

Holding data hostage

Changing Data

4. Loss of Physical and Infrastructure Support

The loss of supporting infrastructure includes power failures (outages, spikes, and brown outs),
loss of communications, water outages and leaks, sewer problems, lack of transportation
services, fire, food, civil unrest, and strikes. The loss of infrastructure often results in system
down time in unexpected ways.

5. Malicious Hackers
Malicious hackers are also called crackers since they break into computers without authorization.
They could include both insiders and outsiders: Hacking activities is mostly contributed by
connectivity in both government and industry.

6. Industrial Espionage
Industrial espionage is the act of gathering proprietary data from private companies or the
government for the purpose of aiding another company(ies). This can be perpetrated by either
companies seeking to improve their competitive advantage or by government seeking to aid their
domestic industries.
Since information is processed and stored on computer system, computer security can help
protect against such threats; it can do little, however, to reduce the threat of authorized
employees selling that information.

7. Malicious Code
Malicious code refers to viruses, worms, Trojan horse, logic bombs and other 'uninvited'
software. They not only attract personal computers but also other platforms. A study in 1993
found that while the number of known viruses is increasing exponentially the number of virus
incidents is not.
Virus: A code segment that replicates by attaching copies of itself to existing executables.

Trojan horse: A program that performs that performs a desired task, but that also includes
unexpected (and undesirable) functions.
Worm: A self-replicating program that is self contained and does not require a host program .
The program creates a copy of itself and causes network services to propagate to other host
systems.

8. Foreign Government Espionage

This is interference by foreign government intelligence service may be present. In addition to
possible economic espionage, foreign intelligence services may target unclassified systems to
further their intelligence mission .i.e. official travel plans, civil defenses and emergency
preparedness, and emergency preparedness, and security files etc.

9. Threats of Personal Privacy

The accumulation of vast amounts of electronics information about individuals by government,
credit bureaus, and private companies, combined with the ability of computers to monitor,
process, and aggregated large amounts of information about individuals have created a threat to
individual privacy. The possibility that all of this information and technology may be able to
linked together has arisen as a specter of the modern information age.

Conclusion:
To control the risks of operating an information system, managers and users need to know the
vulnerabilities of the system and the threats that may exploit them. Knowledge of the threat
environment allows the system manager to implement the most cost-effective security measures.
In some cases, managers may find it more cost-effective to simply tolerate the expected losses.
Such decisions should be based on the results of a risk analysis. Effectively managing both
threats and vulnerabilities is increasingly difficult and challenging, especially because of the
evolving nature of threats and the increasing number of vulnerability incidents. Organizations
need to adequately protect their valuable computer systems thereby reducing associated risks.
Threats should not dictate how businesses are run. But threats can be a hindrance to this; threats
to information systems can prevent their availability to legitimate users, at acceptable levels,
thereby dictating how business operations function for an organisation. As discussed above; to

adequately manage both vulnerabilities and threats that exploit vulnerabilities in computer
systems, a requirement is to implement appropriate countermeasures; but this is only attainable
through models that possess the potential to comprehensively represent what needs to be
protected, what it needs to be protected against and therefore through combined intelligence
recommend appropriate controls that best protect valuable computer system. It is needless
implementing protection controls such as firewall or intrusion detection systems if those factors
have not been explicitly assessed and determined.

References:
House Committee on Science, Space and Technology, Subcommittee on Investigations and
Oversight. Bugs in the Program: Problems in Federal Government Computer Software
Development and Regulation. 101st Congress, 1st session, August 3, 1989.
National Research Council. Computers at Risk: Safe Computing in the Information Age,
Washington, DC: National Academy Press, 1991.
National Research Council. Growing Vulnerability of the Public Switched Networks:
Implication for National Security Emergency Preparedness. Washington, DC: National Academy
Press, 1989.
Neumann, Peter G. Computer-Related Risks. Reading, MA: Addison-Wesley, 1994.
Schwartau, W. Information Warfare. New York, NY: Thunder's Mouth Press, 1994 (Rev. 1995).
Sprouse, Martin, ed. Sabotage in the American Workplace: Anecdotes of Dissatisfaction,
Mischief and Revenge. San Francisco, CA: Pressure Drop Press, 1992.