ITE 305: Information Assurance and Security 2

Module #3

Name: Class number: _________________

__________________________________________ Date: _________________________
Section: _________ Schedule: ______________________

Lesson title: Technical Threats in Information Security Materials:

Lesson Objectives: The student should be able to: Module
-Understand what are the threats in Information Security References:
-Recognize the common examples of threats Principles of Information Security.
Whitman
-Be able to classify the common examples of threats
Information Security Management
Principles
W3Schools.com

Productivity Tip:
“Take a time to rest, the topics here can be a bit mind opening, and if there are things you cannot understand, ask your
teacher”

A. LESSON PREVIEW/REVIEW
1) Introduction (2 mins)
Hello! I hope you are all doing well
Do not be intimidated by the module title, we are not going to threaten. We will be introducing you the
introductory knowledge of these threats in information security. With this knowledge you will be ready to know
the different kinds of threats an organization can encounter.
This module will of course further improve your understanding of threats from the previous lesson.
Please take note that in the future lessons we will be focusing on attacks. But we need to understand both threats
and attacks to be able to defend against further attacks.
A good introduction to this threats thing is to give you a saying from Sun Tzu Wu, who wrote the Art of War. He
is a military expert during his age. And he said in his book: “If you know the enemy and know yourself, you need
not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will
also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.”
In our case. For our organization to be successful we must know ourselves and our enemy. Enemy here means the
threats such as person, object, or entity that presents an ongoing danger to an asset. In other words we must
understand these threats to ensure our victory against them.

1
FLM 1.0
 ITE 305: Information Assurance and Security 2
Module #3

Name: Class number: _________________

__________________________________________ Date: _________________________
Section: _________ Schedule: ______________________

2) Activity 1: What I Know Chart, part 1 (3 mins)

What I Know Questions: What I Learned (Activity 4)
1. 1. What are threats? 1.

2. 2. Why do we need to know these 2.

threats?

B.MAIN LESSON
1) Activity 2: Content Notes (13 mins)
Here we will be discussing Threats and Attacks. There is a common misunderstanding about them and some
people cannot distinguish the 2. But for the IT industry it is needed to know the difference between the two, also
their similarities.

Threats
In the context of information security, a threat is an object, person, or other entity that presents an ongoing danger
to an asset.
According to researchers, with the number of internet users continuously grows, the number of threats from
external sources also grows, and by the time this year (2020) it is estimated that 59% of the global population has
access to the internet, we can safely assume that there is a huge external sources of threats.

Categories of Threats
We will be focusing on the 14 category of threats:
Compromises to intellectual property or assets
Deliberate Software attacks
Deviations in quality of service
Espionage or trespass
Forces of nature

2
FLM 1.0
 ITE 305: Information Assurance and Security 2
Module #3

Name: Class number: _________________

__________________________________________ Date: _________________________
Section: _________ Schedule: ______________________

Human error or failure

Information extortion
Missing, inadequate or incomplete organizational policy or planning
Missing, inadequate or incomplete controls
Sabotage or vandalism
Theft
Technical Hardware failures or errors
Technical Software failures or errors
Technological obsolescence
We will explain and provide some types for some threats categories, but more importantly we will provide
examples.
1. Compromises to Intellectual Property or Assets
The unauthorized or illegal use of Intellectual Property is a threat to information security. The 2 common
examples of compromises to intellectual property: pirating of a company’s software and violation of software
licenses.

2. Deliberate Software Attacks

Deliberate software attacks occur when an individual or group designs and deploys software to attack a
system. Most of this software is referred to as malicious code or malicious software, or sometimes malware.
These software components or programs are designed to damage, destroy, or deny service to the target systems.
These include viruses, Trojan horse, worm virus, and hoaxes.

3. Deviations in Quality of Service

An organization’s information system depends on the successful operation of many interdependent
support systems, including power grids, telecom networks, parts suppliers, service vendors, and even the janitorial
staff and garbage haulers.
These includes loss of internet service provider (Globe, Smart, PLDT), Loss of electricity (Brownout or
Blackout), Loss of communication with client or services.

4. Espionage or Trespass
Espionage or trespass is a well-known and broad category of electronic and human activities that can
breach the confidentiality of information. When an unauthorized individual gains access to the information an
organization is trying to protect, that act is categorized as espionage or trespass.
3
FLM 1.0
 ITE 305: Information Assurance and Security 2
Module #3

Name: Class number: _________________

__________________________________________ Date: _________________________
Section: _________ Schedule: ______________________

Attackers can use many different methods to access the information stored in an information system. One
of which is direct stealing from the company through physical means, another common one is through hacking.

5. Forces of Nature
Forces of nature, or acts of God, can present some of the most dangerous threats, because they usually
occur with very little warning and are beyond the control of people. These threats, which include events such as
fires, floods, earthquakes, and lightning as well as volcanic eruptions and insect infestations, can disrupt not only
the lives of individuals but also the storage, transmission, and use of information.
Even recent day’s COVID 19 Pandemic is considered as this.

6. Human Error or Failure

This category includes acts performed without intent or malicious purpose by an authorized user. When
people use information systems, mistakes happen. Mistakes commonly happen to those who has very low
experience of operations in the organization. So the best way to reduce these human errors is to train the
employees.
Failure in the other hand can be a result of lack of trying and putting effort, but sometimes whenever you
even try your best, it is not even enough, it can still be failure, it is in the part of the supervisor to understand your
failure. A good guide is to remember that failure is a lesson, and you can be better after that.

7. Information Extortion
Information extortion occurs when an attacker or trusted insider steals information from a computer
system and demands compensation for its return or for an agreement not to disclose it.

8. Missing, inadequate or Incomplete Organization Policy or Planning

Missing, inadequate, or incomplete organizational policy or planning makes an organization vulnerable to
loss, damage, or disclosure of information assets when other threats lead to attacks.
Information security is, at its core, a management function. The organization’s executive leadership is
responsible for strategic planning for security as well as for IT and business functions—a task known as
governance.

9. Missing, inadequate or incomplete controls

Missing, inadequate, or incomplete controls—that is, security safeguards and information asset protection
controls that are missing, misconfigured, antiquated, or poorly designed or managed—make an organization more
likely to suffer losses when other threats lead to attacks.

4
FLM 1.0
 ITE 305: Information Assurance and Security 2
Module #3

Name: Class number: _________________

__________________________________________ Date: _________________________
Section: _________ Schedule: ______________________

For example, if a small organization installs its first network using small office/home office (SOHO)
equipment (which is similar to the equipment you might have on your home network) and fails to upgrade its
network equipment as it becomes larger, the increased traffic can affect performance and cause information loss.

10. Sabotage or vandalism

This category of threat involves the deliberate sabotage of a computer system or business, or acts of
vandalism to either destroy an asset or damage the image of an organization. These acts can range from petty
vandalism by employees to organized sabotage against an organization.

11. Theft
The threat of theft—the illegal taking of another’s property, which can be physical, electronic, or
intellectual—is a constant. The value of information is diminished when it is copied without the owner’s
knowledge.
In other words, stealing, is the easiest term for this. And anyone is under threat of this.

12. Technical Hardware failures or errors

Technical hardware failures or errors occur when a manufacturer distributes equipment containing a
known or unknown flaw. These defects can cause the system to perform outside of expected parameters, resulting
in unreliable service or lack of availability.
This can happen in new products in the market that are not fully tested. Worst case scenarios for IT is that
their Servers fails, which can cause a sum of money.

13. Technical Software failures or errors

Large quantities of computer code are written, debugged, published, and sold before all their bugs are
detected and resolved. Sometimes, combinations of certain software and hardware reveal new bugs.
These failures range from bugs to untested failure conditions. Sometimes these bugs are not errors, but
rather purposeful shortcuts left by programmers for benign or malign reasons. Collectively, shortcut access routes
into programs that bypass security checks are called trap doors and can cause serious security breaches.
Sometimes even a simple error in loop can greatly cause these.

14. Technological obsolescence

Technologies and tools that you use get older and obsolete, for your organization prosper you need to
upgrade or change these technologies/tools.

5
FLM 1.0
 ITE 305: Information Assurance and Security 2
Module #3

Name: Class number: _________________

__________________________________________ Date: _________________________
Section: _________ Schedule: ______________________

Everything gets old, even machines. And with the rate that our machines/hardware/software update, it can
even be said that they get older faster, and thus get obsolete faster.
Before it was a big highlight that your flashdrive can handle 16gb, now you can see 1tb flashdrives. Good
thing 16gb is not yet considered as obsolete. A good example of obsolete is if you are still using old operating
systems that are no longer supported by Microsoft.

The need for threat categorization

In the future, as an IT professional, you would always be considering all of these threats even if you are
starting. Because each of these threats can also affect personal use. Such as Theft, your things can be stolen.
Technological Obsolescence, your computer might not be able to handle advanced programming tools, software
attacks, you can be affected by a virus, and etc.
In other words, knowing these categories of threats already readies your mind on how to defend against them,
both for your organization and for yourself.
For a systems developer. You can use this knowledge to understand that technical software failures or errors
can happen.
For a quality assurance engineer or tester. You must know that human error or failure can happen.
And even an IT personnel must understand that Technical Hardware failures or errors, and technological
obsolescence is a threat to your job.
As a member of an organization, you can focus on the category of threats that can greatly affect your job. As
information security officer, you must understand who among the organization’s employees are affected most
among these threats.

2) Activity 3: Skill-building Activities (with answer key) (18 mins + 2 mins checking)
Now that we know the common terms used in IAS 2. Let’s practice what we understood so far.
Exercise 1: Matching type. Match the phrases/words to below to the appropriate description further below by writing
corresponding letter.

A. Compromises to intellectual property or assets G. Information extortion

B. Deliberate Software attacks H. Missing, inadequate or incomplete organizational
policy or planning
C. Deviations in quality of service
I. Missing, inadequate or incomplete controls
D. Espionage or trespass
J. Sabotage or vandalism
E. Forces of nature
K. Theft
F. Human error or failure
6
FLM 1.0
 ITE 305: Information Assurance and Security 2
Module #3

Name: Class number: _________________

__________________________________________ Date: _________________________
Section: _________ Schedule: ______________________

L. Technical Hardware failures or errors N. Technological obsolescence

M. Technical Software failures or errors

___ 1. They are considered to be the most dangerous threats, because they give little to know warning and deliver
devastating damage to assets.
___ 2. These threats occur when a manufacturer distributes equipment containing a known or unknown flaw.
___ 3. A very good example of these are loss of electricity and internet service provider.
___ 4. Threats occur when large quantities of computer code are written, debugged, published, and sold before all their
bugs are detected and resolved.
___ 5. This category of threat involves the deliberate sabotage of a computer system or business, or acts of vandalism to
either destroy an asset or damage the image of an organization.
___ 6. A very common procedure in this type of threat is hacking
___ 7. This category includes acts performed without intent or malicious purpose by an authorized user. Commonly
known as natural mistakes.
___ 8. This threat occurs when an attacker or trusted insider steals information from a computer system and demands
compensation for its return or for an agreement not to disclose it.
___ 9. This occurs when tools and technologies gets old to catch up to the trend and speed of the Industry’s needs.
___ 10. This threat makes an organization vulnerable to loss, damage, or disclosure of information assets when other
threats lead to attacks.
___ 11. Common example of this type of threat is violating software licenses and pirating software.
___ 12. This threat makes an organization vulnerable to loss, damage, or disclosure of information assets when other
threats lead to attacks.
___ 13. This threat is stealing assets of a an organization, it can be physical, electronic or even intellectual, as long as it
has value and it can be stolen.
___ 14. This threat focuses on the fact this attack occurs when an individual or group designs and deploys software to
attack a system.

2
FLM 1.0
 ITE 305: Information Assurance and Security 2
Module #3

Name: Class number: _________________

__________________________________________ Date: _________________________
Section: _________ Schedule: ______________________

3) Activity 4: What I Know Chart, part 2 (2 mins)

Please visit the What I know Chart from Activity 1 and write your answers to the questions based on what you
know in the third column of the chart

4) Activity 5: Check for Understanding (5 mins)

As a student, in all of these threats, can you list down at least 4 threats that can affect you most especially in your
studies? And why?

2
FLM 1.0
 ITE 305: Information Assurance and Security 2
Module #3

Name: Class number: _________________

__________________________________________ Date: _________________________
Section: _________ Schedule: ______________________

C. LESSON WRAP-UP
1) Activity 6: Thinking about Learning (5 mins)
You are done with this session! Let’s track your progress. Shade the session number you just completed.

Did you have challenges learning the common terms in IAS? If none, which parts of the module helped you learn the
terms? Did you enjoy the modules?
FAQs
1. Are there other categories of threats?
Answer: There could be more from other companies, or perhaps they have their own way of categorizing these threats.
But the ones listed here are the most common way of categorizing threats

3
FLM 1.0