This document discusses security threats and vulnerabilities. It begins by noting that threats and vulnerabilities are constantly changing with evolving technology. It defines threats as actions that could damage an asset, and vulnerabilities as weaknesses that allow threats to occur. The document then discusses how to identify important organizational assets and assess risks to them. Several types of threats are outlined, including human threats like errors, criminal behavior, and insider threats from employees. Common forms of malicious software like viruses, worms, Trojan horses, rootkits and spyware are also described. Strategies for reducing insider threats like monitoring, multi-person access, and job rotation are presented.

1. Running head: SECURITY THREATS & VULNERABILITIES 1
Security Threats & Vulnerabilities
John Intindolo
American Public University

2. SECURITY THREATS & VULNERABILITIES 2
Security Threats & Vulnerabilities
In a world where technology is constantly evolving it comes as no surprise that threats and
vulnerabilities are also changing continuously. Information Security is keeping the confidentiality,
integrity, and availability of an entire organization, and is virtually impossible to accomplish
without being aware of the security threats and vulnerabilities that exist. A security threat is any
action that has the potential to damage an asset. Threats could be a result of a natural or man-
made event. There is no single security threat out there, but rather many different threats that can
bring down an entire organization’s network if they are unprepared on how to handle them.
Having a plan in place before an event occurs will ensure that the security professionals will be
equipped to handle any and all situations in a timely manner.
A vulnerability differs from a threat in that a vulnerability is defined as “a weakness in a
product that could allow an attacker to compromise the integrity, availability, or confidentiality of
that product” (“Definition of,” 2013). In other words vulnerability works to allow the threat to
occur. A threat needs a vulnerability to infiltrate a network. If a vulnerability is secured than the
threat cannot do its damage; therefore, it is important to keeping the network as secure as
possible. Before discussing that however the first thing to think about is what is it that the
organization wants to protect? After all how can an asset be protected if it is unknown what is
important to the organization?
The basic description of the things attempting to be protected are anything that has value
otherwise known as assets. Assets within an organization range from sensitive data like trade
secrets, to financial data like credit card information, to hardware and software components, or
even to reputation assets such as a brand imaging. Once the assets of the organization are
understood it is important to determine the risk of an attack at each level. This can be done by
performing a risk assessment. A risk assessment should be performed by prioritizing the risk of an

3. SECURITY THREATS & VULNERABILITIES 3
attack from the most likely all the way down to the least likely vulnerability. The next phase
would be to explain the different security threats. The first threat to the security of a network is
the human element.
People are human meaning that everyone makes mistakes, and no person is perfect.
Human beings also have the ability to make a choice for themselves, right or wrong. The security
threats that a person poses to computer security can be through user error, being uneducated in
using the system properly, or even purposely attempting to damage or steal data. Criminal
behavior is dealt with in a much different manner in normal everyday life as oppose to in
cyberspace. The laws and consequences in real world are respected by people (for the most part),
but in cyberspace criminal behavior runs rampant and often goes unpunished (or even
undiscovered). There are two different types of people that are a threat to a network’s security,
an insider and an outsider. Which of the two is the bigger threat? Well according to Gartner,
“More than 70% of unauthorized access to data is committed by an organization’s own
employees” (Beaver, 2006). That is an astonishing number to think about.
An insider threat is one that describes the people within the organization that are
disgruntled and have become a principal source of computer crimes due to their knowledge of the
victim’s system (Erbschloe, 2005, p. 2). This intimate knowledge that an insider has can lead to
things such as stealing or corrupting company data. A key thing to understand is that while
viruses and Trojan-based attacks are often thought as an issue from an outsider, an insider poses a
bigger threat because they have a higher chance of performing a successful attack. How severe is
an insider threat? Well according to Ernst & Young survey, 25 percent of organizations surveyed
have experienced an increase in attacks by malicious insiders (2009, p. 5). That is a pretty
significant number. Now the question that remains is what makes a person disgruntled to the point
that they would perform an attack against their employer? There are several reasons that an

4. SECURITY THREATS & VULNERABILITIES 4
otherwise trustworthy employee may become an insider threat. Some reasons would be the stress
and fear of being laid-off, or an unexpected financial problem that they may come under. How can
an insider threat be guarded against?
There are three strategies that work best for reducing the risks associated with an insider
threat. Those would be monitoring, two-person or multi-person control, and job rotation. Trust is
something that cannot be taken for granted no matter how great of a team an organization has.
These strategies are put into place to keep “the bad seeds honest and the good ones from slipping
up” (“Best practice guide,” 2012). Monitoring can be done in the form of scanning an employee’s
computer for unauthorized activity (such as visiting a webpage that is not work related during
business hours) or double checking periodic results, like counting the cash held by a cashier for
example (Smith, 2011, p. 573). One of the main reasons that an employee would attempt to steal
a company’s data is because they feel that they can do it without getting caught. Monitoring
greatly increases the chances of them being caught, and may deter someone from attempting to
follow through on an attack or stealing.
The second strategy to help reduce the risk of an insider threat is through two-person or
multi-person control. Two-person or multi-person control requires the use of more than one
person to be involved in a critical transaction. For example, a nuclear missile launch may require
the use of two or more people so that one person does not have the ability to perform an attack.
Without all parties’ access codes the launch will not occur. Most internal attacks are done
individually, therefore implementing two-person or multi-person control can greatly reduce the
risk. The third strategy that can help in the reduction of an insider threat is through job rotation.
This is done by having a rotation of several people doing the same job duties. Not only does this
help to combat against insider attacks, but it also exposes the employees to different experiences

5. SECURITY THREATS & VULNERABILITIES 5
and gives them a more varied skill set. If more than one person performs the same task it lessens
the risk that one of them will be performing some sort of malicious behavior.
Outsider threats are threats to an organization’s network using the Internet or outside
networks to gain authorized access to the organization’s network. An outsider, as the name
suggests, comes from a source outside of the network that attempts to damage the confidentiality,
integrity, and availability of a network. Insider and outsider threats come in many forms, but both
come in the form of malicious software and several different attacks. Malicious software is also
known as Malware and is used to follow the instruction of an attacker to cause damage to or
disrupt a system (Kim & Solomon, 2012, p. 117). Malware can be broken down into two
categories, infecting programs and hiding programs. Within these two categories are several
types of Malware and they are: viruses, worms, Trojan horses, rootkits, and spyware.
The first example of an infecting malware program is a virus. Viruses are the most
common type of malicious attacks to the everyday computer user. Even if a person has a limited
background in information technology, chances are they are aware of what a virus does to a
computer. A virus is a program written by a hacker to alter the way a computer operates without
the permission or even knowledge of the user, and it will replicate and execute itself in the hopes
of damaging the user’s computer (Ahmad, 2012, p. 751).
Viruses and worms are both a type of Malware that are categorized as an infecting
program. Infecting programs actively try to copy themselves onto other computers to carry out
the attacker’s instructions onto new targets (Kim & Solomon, 2012, p. 117). Worms like viruses
reproduce and spread to other computers, but they differ from viruses in that they are independent
programs as opposed to ones that hide inside another program. The second category of Malware
that exists are known as hiding programs. The difference with hiding programs is that they carry

6. SECURITY THREATS & VULNERABILITIES 6
out the attacker’s instructions while hiding in the computer and avoiding detection. This is where
Trojan horses, rootkits, and spyware fall under.
Trojan horses are destructive programs that disguise themselves as a harmless computer
program with the purpose of getting access to the victim’s computer from a different location
(“Information security office,” 2012). They try to trick the victim into thinking that it is a safe
program in an effort to damage the system. This is often done through an e-mail attachment or
from a file that was downloaded off of the Internet. A rootkit is like a Trojan horse in that it will
hide itself, but it will not try to corrupt or damage the system. So if a rootkit does not attempt to
damage the system, then what does it do?
A rootkit rather than damage the system will be used instead to give the attacker ability to
access information, monitor the victim’s actions, modify programs, or carry out other functions
on the victim’s computer without being detected (McDowell, 2013). Due to the fact that a rootkit
can allow an attacker to modify programs it makes recovering from this type of an attack a
difficult task. If it is unable to be removed the best way to recover may be to simply reinstall the
operating system, because a prior version of a file may not be trustworthy. The third type of
hiding program Malware would be spyware. Spyware is very common to the average computer
user nowadays and is almost as well known to people as viruses. Spyware is used to collect
information about someone or an organization without their approval or knowledge. This
information is then used for such things as selling to advertising agencies or in some cases it can
be used for identity theft.
Like Malware there are also different types of attacks including the following: key
logging, spoofing, phishing, social engineering, and denial-of-service attacks. Knowing each one,
how they affect an organization’s infrastructure, and what to do in order to prevent an attack will
go a long way to keeping the network secure. Key logging refers to an attack that logs every key

7. SECURITY THREATS & VULNERABILITIES 7
stroke that the victim makes and can allow the attacker to get passwords, bank account
information, etc. This can lead to some stealing of valuable data or even money. Spoofing is when
the attacker falsifies data in order to give them an illegitimate advantage.
Phishing threats meanwhile take spoofing one step further in that not only do they falsify
data, but they do so in order to steal sensitive financial or personal information (Ahmad, 2012, p.
751). Social engineering attacks are similar to phishing and spoofing threats, but by deceiving the
victim into revealing secure information and in turn using that secure information to attack the
organization’s network. These attackers are modern-day con-artists that prey on people’s
emotions to get their information. The next attack that is a threat would be a denial-of-service
attack. DOS attacks are used to interrupt or suspend the victim’s services to the Internet.
Now that the threats and vulnerabilities have been outlined the question remains, how can
these threats be stopped before doing damage. A default deny policy should be implemented,
meaning that everyone on the network will be denied access as a default. Only those whose job
requires access to items will have it. This will help alleviate many problems that are caused from
user error or unauthorized personnel accessing sensitive data. Internet usage should be relegated
to work related sites only. Cyber threats such as Malware, phishing, and impersonation are most
common in social networking sites, which is why they should be banned from the workplace (Al-
Mushayt, 2013, p. 57).
Anti-virus software, anti-malware software, firewalls, and intrusion detection systems
should be installed on each and every computer connected to the network to prevent a malicious
attack. Additionally, all software should be updated and a strong use of passwords should be used
in order make it difficult for attackers to guess. Furthermore, multi-factored authentication and
encrypting files and passwords whenever possible will make the system much harder to attack.
One other important implementation in addition to these tools would be having security teams run

8. SECURITY THREATS & VULNERABILITIES 8
security tests against the network from the outside in to allow vulnerabilities to be discovered and
corrected before an attack is able to take place (“Vulnerability management,” 2013). All of these
tools will help, but they alone will not solve the problem. There must be a security process that
takes place in addition to the use of the tools listed above.
In order to keep the network secure, reduce the risk of an attack, or decrease the effect an
attack will have, it is best to put into practice the following six phases of the security process:
identify the assets, analyze the risk of an attack, establish a security policy, implement the
defenses, monitor the defenses that have been implemented, and recover from attacks. Identifying
the organizations assets will as stated earlier show exactly what the organization will want to
protect. Once that is complete, an analysis of each asset’s risk of an attack will identify where the
company is vulnerable and in need of more secure measures. From that point a security policy can
be written and put into place to create a set of rules and guidelines for everyone on the network to
adhere by while connected to the network.
The written security policy gives people a list of rules to follow, but it is important that
they are followed from the top of the organization all the way to the bottom. Additionally, the
importance needs to be emphasized by those who created the policy by thoroughly going over the
policy with anyone who will have network access. This can be done in the form of a company
meeting. Whenever a change is necessary the policy should be updated, and the users should be
properly informed of all changes.
Next would be implementing the defenses. The defenses are implemented to protect
against an attack or intrusion. They will need to be constantly monitored by the IS professionals
to see where a weakness may be exploited. It is their job to find the weakness and correct it
before a malicious attack occurs. This form of continuous improvement is extremely important to
the security of a network, because without constant evaluation and correction the network will

9. SECURITY THREATS & VULNERABILITIES 9
become susceptible to an attack. Keeping up with the latest Windows Updates and downloading
the latest patches are some examples of this. Recovery from an attack may be the last phase of the
security process, but it just might be the most important as well.
There is no 100 percent secure method. There will be a time when the organization will
experience an attack, and it is how well prepared the security team is to handle that and how fast
they handle it that will be key. The best methods for recovery are to have an incident response
team, incident response plan, business continuity plan, and backups. The incident response team
will be put into place to handle any and all incidents as set forth in the incident response plan.
Having a plan in place will keep everyone from panicking and get the problem resolved much
quicker. A business continuity plan will give a set of procedures to follow to either keep the
company running in the event of an attack, or to minimize the time that the company is down.
Backups should be taken once every 24 hours and if possible stored at a secure off-site facility. If
stored on-site they should be locked away where only authorized personnel have access to them.
There are many threats and vulnerabilities that exist out there, but through careful
management and planning as detailed above, an organization’s network can remain secure against
many threats. No method is going to keep the system completely secure, so it is important to be
ready to handle any and all attacks. In this day and age so many companies rely on being
connected to the Internet for their everyday business needs. Therefore, if their network is down
for a lengthy amount of time it is going to cost them a significant amount of money. In some cases
a company rendered without power may even cause the end of the company altogether.

10. SECURITY THREATS & VULNERABILITIES 10
References
Ahmad, A. (2012). Type of security threats and it’s prevention. International Journal of
Computer Technology and Applications, 3(2), 750-752.
Al-Mushayt, O. S. (2013). Threats and anti-threats strategies for social networking
websites.International Journal of Computer Networks & COmmunications, 5(4), 53-61.
Retrieved from http://airccse.org/journal/cnc/5413cnc05.pdf
Beaver, K. (2006). Five common insider threats and how to mitigate them. Retrieved from
http://searchsecurity.techtarget.com/tip/Five-common-insider-threats-and-how-to-
mitigate-them
Best practice guide to minimizing your insider risk. (2012). Retrieved from
https://www.lumension.com/Media_Files/Documents/Marketing---
Sales/Whitepapers/Best-Practice-Guide-Minimizing-Your-Insider-Risk.aspx
Definition of a security vulnerability. (2013). Retrieved from http://technet.microsoft.com/en-
us/library/cc751383.aspx
Erbschloe, M. (2005). Trojans, worms, and spyware: A computer security professional's guide to
malicious code. Burlington, MA: Elsevier Butterworth-Heinemann.
Ernst & Young. (2009). Outpacing change: Ernst & young’s 12th annual global information
security survey. Retrieved from http://www.b3b.ch/wp-
content/uploads/12th_annual_GISS.pdf
Information security office faqs. (2012). Retrieved from
http://secureonline.iowa.gov/faqs/index.html
Kim, David, Solomon, Michael. (2012). Fundamentals of Information System Security.
Information Systems & Security Series. Sudbury, MA. Jones & Bartlett Learning.
References

11. SECURITY THREATS & VULNERABILITIES 11
McDowell, M. (2013). Understanding hidden threats: Rootkits and botnets. Retrieved from
http://www.us-cert.gov/ncas/tips/ST06-001
Smith, R.E., PhD. (2011). Elementary Information Security. Burlington, MA: Jones & Bartlett
Learning.
Vulnerability management. (2013). Retrieved from
http://www.veracode.com/security/vulnerability-management