Skip to main content

Threats & vulnerabilities considered for risk assessment

Hello Friends, Today I want to share the Threats & vulnerabilities we considered for implementing risk assessment.


The list comprehends also threats & vulnerabilities from ISO 22301 in order to have the larger effect possible on improving confidentiality, integrity and availability of the assets.

THREATS

  • Access to the network by unauthorized persons
  • Breach of contractual relations
  • Breach of legislation
  • Compromising confidential information
  • Concealing user identity
  • Damage caused by a third party
  • Damages resulting from penetration testing
  • Destruction of records
  • Disaster (human caused)
  • Disaster (natural)
  • Disclosure of information
  • Disclosure of passwords
  • Eavesdropping
  • Embezzlement
  • Errors in maintenance
  • Failure of communication links
  • Falsification of records
  • Fire
  • Flood
  • Fraud
  • Industrial espionage
  • Information leakage
  • Interruption of business processes
  • Loss of electricity
  • Loss of support services
  • Malfunction of equipment
  • Malicious code
  • Misuse of information systems
  • Misuse of audit tools
  • Pollution
  • Social engineering
  • Software errors
  • Strike
  • Terrorist attacks
  • Theft
  • Thunderstroke
  • Unintentional change of data in an information system
  • Unauthorized access to the information system
  • Unauthorized changes of records
  • Unauthorized installation of software
  • Unauthorized physical access
  • Unauthorized use of copyright material
  • Unauthorized use of software
  • User error
  • Vandalism

VULNERABILITIES
  • Complicated user interface
  • Default passwords not changed
  • Disposal of storage media without deleting data
  • Equipment sensitivity to changes in voltage
  • Equipment sensitivity to moisture and contaminants
  • Equipment sensitivity to temperature
  • Inadequate cabling security
  • Inadequate capacity management
  • Inadequate change management
  • Inadequate classification of information
  • Inadequate control of physical access
  • Inadequate maintenance
  • Inadequate network management
  • Inadequate or irregular backup
  • Inadequate password management
  • Inadequate physical protection
  • Inadequate protection of cryptographic keys
  • Inadequate replacement of older equipment
  • Inadequate security awareness
  • Inadequate segregation of duties
  • Inadequate segregation of operational and testing facilities
  • Inadequate supervision of employees
  • Inadequate supervision of vendors
  • Inadequate training of employees
  • Incomplete specification for software development
  • Insufficient software testing
  • Lack of access control policy
  • Lack of clean desk and clear screen policy
  • Lack of control over the input and output data
  • Lack of internal documentation
  • Lack of or poor implementation of internal audit
  • Lack of policy for the use of cryptography
  • Lack of procedure for removing access rights upon termination of employment
  • Lack of protection for mobile equipment
  • Lack of redundancy
  • Lack of systems for identification and authentication
  • Lack of validation of the processed data
  • Location vulnerable to flooding
  • Poor selection of test data
  • Single copy
  • Too much power in one person
  • Uncontrolled copying of data
  • Uncontrolled download from the Internet
  • Uncontrolled use of information systems
  • Undocumented software
  • Unmotivated employees
  • Unprotected public network connections
  • User rights are not reviewed regularly

Comments

Popular posts from this blog

CIA Triad for- Base of Information security

The essential security principles of confidentiality, integrity, and availability are often  referred to as the  CIA Triad. All security controls must address these principles. These three  security principles serve as common threads throughout the CISSP CBK. Each domain  addresses these principles in unique ways, so it is important to understand them both in  general terms and within each specific domain: Confidentiality is the principle that objects are not disclosed to unauthorized subjects. Integrity is the principle that objects retain their veracity and are intentionally modified by  authorized subjects only. Availability is the principle that authorized subjects are granted timely access to objects  with sufficient bandwidth to perform the desired interaction. Different security mechanisms address these three principles in different ways and offer varying  degrees of support or application of these principl...

List of Company Slogans

·          3M : "Innovation" ·          Agere Systems : "How Communication Happens" ·          Agilent : "Dreams Made Real" ·          Airbus : "Setting the Standards" ·          Amazon.com : "…and You're Done" ·          AMX : "It's Your World. Take Control" ·          Anritsu : "Discover What's Possible ·          AT&T : "Your World. Delivered" ·          ATG Design Services : "Circuit Design for the RF Impaired" ·          ATI Technologies : "Get In the Game" ·          BAE Systems : "Innovatin...

My Article :- હેકર બનવું છે? કઈ રીતે?

મારી ૨ વર્ષ ની કારકિર્દી માં મને કેટલાય  લોકોએ, ખાસ કરીને કોલેજ ના વિદ્યાર્થીઓએ ઘણી વાર પૂછ્યું છે કે "મારે હેકર બનવું છે. તો હું શું કરું? " અને મારા બ્લોગ્સ માં પણ પૂછવામાં આવે છે કે એક સારો હેકર કઈ રીતે બની શકાય? એવું હું શું કરું અથવા તો મારા માં કઈ લાયકત હોવી જોઈએ એક હેકર બનવા માટે? આ પ્રશ્ન નો સંતોષકારક જવાબ આપવા માટે મેં internet પર શોધખોળ કર્યા પછી મને જે કઈ માહિતી મળી તેને હું આજે અહી રજુ કરું છું. મિત્રો, સૌપ્રથમ હેકર કઈ રીતે બનવું એ જાણવા પહેલા એ જાણવું જરૂરી છે કે ખરેખર હેકિંગ શું છે ? અને હેકર કોને કહેવાય. હેકિંગ ની સીધી અને સરળ વ્યાખ્યા નીચે મુજબ છે.  "તમારા કમ્પ્યુટર,નેટવર્ક(ઈન્ટરનેટ કે LAN દ્વારા) કે કોઈ ડીવાઈસ માં (ફોન, ટેબ્લેટ) માં કરવામાં આવતા ગેરકાયદેસર પ્રવેશ અને ઉપયોગ એ હેકિંગ કહેવાય છે."અને હેકિંગ કરતા લોકોને હેકર કહેવાય છે. હવે તમને થશે કે આવું શું કામ કરવું જોઈએ? આ તો ક્રાઈમ છે. તો તમને જણાવી દઉં કે હેકર મુખ્યત્વે ૨ પ્રકારના હોય છે.    વાઈટ હેટ હેકર્સ (એથીકલ હેકર્સ) : ધારો કે તમે તમારો ફેસબુક નો પાસવર્ડ ભૂલી ગયા(ખરેખર ના ભૂલતા ક્યારેય..)કે ત...