COMPUTER SECURITY AND HEALTH ISSUES

 The use of computers has greatly increased over the last few decades. People now use
computers and keyboards as a daily way of communicating, working, and even for
entertainment.
 A condition known as Repetitive Strain Injury (RSI) has now been recognized as a result of
the repetitive motion of typing and sitting in a fixed position (i.e. at a desk for eight hours).
This can cause significant injury and pain to the arms, elbows, fingers, and wrists.
 This condition is extremely painful and can affect everyone from sedentary people to those
who are active and physically fit. Some people must leave a computer-focused employment
position because of their RSI.
 Patients can sometimes become permanently disabled as a result of Repetitive Strain Injury.
Fortunately through education and resources, people can prevent and recognize the risks of
RSI before it happens.
Symptoms
 The symptoms of Repetitive Strain Injury can vary, but almost always consist of pain. The
neck or back can feel constant strain, and fingers or wrists can become painful to maneuver.
 A feeling of weakness is often accompanied by shooting pangs of pain.
 Numbness in the arms or hands can also be a symptom, and can cause alarm or fear that other
issues such as a potential heart attack are taking place.
 Some people who suffer from severe RSI cannot operate a keyboard or personal objects
effectively because of the intense pain.
Prevention
Fortunately, there are ways people can avoid being a victim of R S I.
 First, take plenty of breaks while sitting and working at a computer.
 Get up from your desk and take a short walk.
 Stretching of the neck, back, and fingers is essential in preventing disease.
 Be sure to follow proper sitting procedures so that your neck, eyes, and wrists are
comfortable and not strained.
 Be sure you are typing in the proper ergonomic position.

1
 Use a wrist guard or wrist rest at the keyboard and mouse so you are getting the proper
support.
 Try to use larger fonts so your eyes are not strained, and perform some deep breathing
exercises while seated at your desk to stay relaxed.
Ergonomics
 Ergonomics is the science of using proper motion, posture, and equipment to ensure people
are sitting or working in a way that will not cause injuries.
 The use of ergonomics can apply to just about any situation from offices to construction sites.
How a person sits, types, or uses machinery can make a huge difference in the way they feel
overall, and by using ergonomics in every day life, you can ensure you will not experience
Repetitive Strain Injury.
 By adapting the way you sit or work, you can help keep your neck and spine aligned and
prevent injury to the hands and wrists.
 Simple classes or reading more about ergonomics can help to educate people about the
proper way to function in their daily lives.

HEALTH ISSUES
 In the wake of the expanding use of Visual Display Terminals (VDTs), concerns have been
expressed about their potential health effects.
 Complaints include excessive fatigue, eye strain and irritation, blurred vision, headaches,
stress, and neck, back, arm, and muscle pain.
 Research has shown that these symptoms can result from problems with the equipment, work
stations, office environment or job design, or from a combination of these.
 Concerns about potential exposure to electromagnetic fields also have been raised.

i. Visual Problems
 Visual problems such as eyestrain and irritation are among the most frequently reported
complaints by VDT operators.

2
  These visual symptoms can result from improper lighting, glare from the screen, poor
positioning to the screen itself, or copy material that is difficult to read.
 These problems usually can be corrected by adjusting the physical and environmental
setting where the VDT users work.
 For example, work stations and lighting can and should be arranged to avoid direct and
reflected glare anywhere in the field of sight, from the display screen, or surrounding
surfaces. Many VDT jobs require long sessions in front of a display screen.
 Consequently, some people may need corrective lens to avoid eye strain and headaches.
Vision examinations should, therefore, be conducted to ensure early detection and
correction of poor vision.
 Eyecare specialists should be informed of computer use by VDT operators.

ii. Fatigue and Musculoskeletal Problems

 Work performed at VDTs may require sitting still for considerable time and usually
involves small frequent movements of the eyes, head, arms, and fingers.
 Retaining a fixed posture over long periods of time causes muscle fatigue and, if this
practice is consistent, can eventually lead to muscle pain and injury.
 VDT operators also are subject to a potential risk of developing various musculoskeletal
disorders such as carpal tunnel syndrome, and tendonitis.
 Musculoskeletal disorders are injuries to the muscles, joints, tendons, or nerves that are
caused or made worse by work related risk factors.
 Early symptoms of musculoskeletal disorders include pain and swelling, numbness and
tingling (hands falling asleep), loss of strength, and reduced range of motion.

If workers have any of these symptoms, they should report them to their employers as
soon as possible. If these symptoms are not treated early, they can result in loss of

iii. Radiation

3
  Another issue of concern for the VDT operator is whether the emissions from radiation,
such as X-ray or electromagnetic fields in the radiofrequency and extreme low frequency
ranges, pose a health risk.
 Some workers, including pregnant women, are concerned that their health could be
affected by electromagnetic fields emitted from VDTs.
 The threat from X-ray exposures is largely discounted because of the very low emission
levels. The radio frequency and extreme low-frequency electromagnetic fields are still at
issue despite the low emission levels.
 To date, however, there is no conclusive evidence that the low levels of radiation emitted
from VDTs pose a health risk to VDT operators. S
 ome workplace designs, however, have incorporated changes -- such as increasing the
distance between the operator and the terminal and between work stations -- to reduce
potential exposures to electromagnetic fields.

INTERVENTIONS
 There are a variety of interventions that employers can implement to reduce or prevent
harmful effects associated with VDT use.

i. Lighting

 Light should be directed so that it does not shine into the operator's eyes when the operator is
looking at the display screen.
 Futher, lighting should be adequate for the operator to see the text and the screen, but not so
bright as to cause glare or discomfort.
 There are four basic lighting factors that must be controlled to provide suitable office
illumination and avoid eyestrain:
o Quantity, In most offices, light fixtures and daylight provide illumination for work
surfaces (e.g., 50-100 foot-candles). High illumination "washes out" images on the

4
 display screen; therefore, if possible, where VDTs are used, illumination levels
should be somewhat lower (i.e., 28-50 foot-candles are often satisfactory).
o Contrast. Contrast is the difference in luminance or brightness between two areas. To
prevent the visual load caused by alternate light and dark areas, the difference in
illuminance between the VDT display screen, horizontal work surface, and
surrounding areas should be minimized.
o Glare. Glare is usually defined as a harsh, uncomfortably bright, light. Glare is
dependent upon the intensity, size, angle of incidence, luminance, and proximity of
the source to the line of sight. Glare may be the result of direct light sources in the
visual field (e.g., windows), or reflected light from polished surfaces (e.g., keyboards)
or from more diffuse reflections which may reduce contrast (e.g., improper task
lighting). Glare may cause annoyance, discomfort, or loss in visual performance and
visibility.
To limit reflection from walls and work surfaces visible around the screen, these areas
should be painted a medium color and have a nonreflective finish. Work stations and
lighting should be arranged to avoid reflected glare on the display screen or
surrounding surfaces.

In many cases, the reorientation of work stations may help remove sources of glare
out of the line of sight. The face of the display screen should be at right angles to
windows and light sources. Care should be taken, particularly when terminals are
installed within 20 feet (6.096 meters) of windows, to ensure that there is some
method of blocking the sun's light, such as blinds or curtains.

The proper "treatment" for window glare includes baffles, venetian blinds, draperies,
shades, or filters.

Screen glare filters that attach directly to the surface of a VDT screen can help reduce
glare. Two types of filters are available: natural density filters, which scatter and
diffuse some of the light reflected off the glass display screen, and micromesh filters,
which not only scatter the light but also absorb most of the light reflected from the

5
 surface of the screen by means of an imbedded interwoven grid of dyed nylon fibers.
These should be used as a last resort since filters can reduce visibility and legibility of
screen. Filters should be cleaned regularly.

ii. Work Station Design

 Proper work station design will reduce visual and musculoskeletal discomfort associated with
VDT use when the following work practices are observed:
 Ensure that the operator has a comfortable sitting position sufficiently flexible to reach,
use, and observe the display screen, keyboard, and document.
 Provide posture support for the back, arms, legs, and feet as well as adjustable display
screens and keyboards.
 Ensure that VDT tables or desks are vertically adjustable to allow for operator adjustment
of the screen and keyboard.
 Ensure proper chair height and support to the lower region of the back.
 Ensure that document holders are used to allow the operator to position and view material
without straining the eyes or neck, shoulder, and back muscles.
iii. Proper User Position and Support.
i. Chairs. The chair can be a crucial factor in preventing back pain as well as in improving
employee performance in office work. As the majority of office workers spend most of their
time sitting, a properly designed and adjustable chair for comfort, efficiency, and for the task
being performed is critical. All adjustments should easily be made from the seated position.
Specific chair criteria are discussed in the following paragraphs.
ii. Chair Height. When an employee spends from 6 to 8 hours in the chair, the height of the
chair and the work surface are critical. The human body dimension that provides a starting
point for determining correct chair height is the "popliteal" height. This is the height from the
floor to the point at the crease behind the knee. The chair height is correct when the entire
sole of the foot can rest on the floor or footrest and the back of the knee is slightly higher
than the seat of the chair. This allows the blood to circulate freely in the legs and feet.
iii. Seat pan Design. Size and shape are two factors to consider in the design of the seatpan of
the chair. The seat pan should be slightly concave with a softly padded, rounded, or
"waterfall" edge. This will help distribute the weight and may also prevent sliding forward in

6
 the chair. The angle of the seatpan should also be considered. Some options include a seatpan
that slopes slightly down at the back or one that has a forward tilt that produces less stress on
the lower region.
iv. Armrests. Armrests should be low and short enough to fit under work surfaces to allow users
to get close enough to the work surface. Chairs can be purchased with adjustable armrests.

v. Backrest. A proper backrest should support the entire back including the lower region. The
seat and backrest of the chair should support a comfortable posture that permits frequent
variations in the sitting position. The backrest angle and chair height should be easily
adjustable.

7
Computer Security
Achieving good computer security can seem like a daunting task. Fortunately, following the few
simple steps outlined below can provide a good measure of security in very little time.
1) Use antivirus software and keep it up-to-date. You should check for new definition updates
daily. Most antivirus software can be configured to do this automatically.

2) Install security patches. Vulnerabilities in software are constantly being discovered and they
don't discriminate by vendor or platform. It's not simply a matter of updating Windows; at least
monthly, check for and apply updates for all software you use.

3) Use a firewall. No Internet connection is safe without one. Firewalls are necessary even if you
have a dial-up Internet connection -- it takes only minutes for a a non-firewalled computer to be
infected.

4) Secure your browser. Many labor under the dangerous misconception that only Internet
Explorer is a problem. It's not the browser you need to be concerned about. Nor is it a matter of
simply avoiding certain 'types' of sites. Known, legitimate websites are frequently being
compromised and implanted with malicious javascript that foists malware onto visitors'
computers. To ensure optimum browsing safety, the best tip is to disable javascript for all but the
most essential of sites -- such as your banking or regular ecommerce sites. Not only will you
enjoy safer browsing, you'll be able to eliminate unwanted pop-ups as well.

5) Take control of your email. Avoid opening email attachments received unexpectedly -- no
matter who appears to have sent it. Remember that most worms and trojan-laden spam try to
spoof the sender's name. And make sure your email client isn't leaving you open to infection.
Reading email in plain text offers important security benefits that more than offset the loss of
pretty colored fonts.
6) Treat IM suspiciously. Instant Messaging is a frequent target of worms and trojans. Treat it
just as you would email.
7) Avoid P2P and distributed file sharing. Torrent, Kazaa, Gnutella, Morpheus and at least a
dozen other filesharing networks exist. Most are free. And all are rife with trojans, viruses,

8
worms, adware, spyware, and every other form of malicious code imaginable. There's no such
thing as safe anonymous filesharing. Avoid it like the plague.
8) Keep abreast of Internet scams. Criminals think of clever ways to separate you from your
hard earned cash. Don't get fooled by emails telling sad stories, or making unsolicited job offers,
or promising lotto winnings. Likewise, beware of email masquerading as a security concern from
your bank or other eCommerce site.
9) Don't fall victim to virus hoaxes. Dire-sounding email spreading fear, uncertainty and doubt
about non-existent threats serve only to spread needless alarm and may even cause you to delete
perfectly legitimate files in response.
Remember, there's far more good than bad on the Internet. The goal isn't to be paranoid. The
goal is to be cautious, aware, and even suspicious. By following the tips above and becoming
actively engaged in your own security, you'll not only be protecting yourself, you'll be
contributing to the protection and betterment of the Internet as a whole.

How To Keep Computer Safety?

Computers are expensive, and with all big purchases, you probably want to protect your
investment. Luckily, it is not difficult to keep your computer healthy and in good working
order. Maintaining a computer involves three things: keeping it physically clean, protecting it
from malware, and backing up your important files.
Watch the video to learn how to keep a computer healthy.

 Keep Your Computer Physically Clean

When dealing with computers, dust isn't just unattractive—it can potentially destroy parts of
your computer. By cleaning your computer regularly, you can help to keep it working properly
and avoid expensive repairs.

i. Cleaning the Keyboard

A dirty keyboard doesn't look nice and can cause your keyboard to not work properly. Dust,
food, liquid, or other particles can get stuck underneath the keys, which can cause them not to
work. Check your owner's manual to see if the manufacturer has provided you with instructions

9
for your specific keyboard. If so, you should follow them. If not, the following steps are basic
cleaning tips that will help you keep your keyboard clean:
1. Unplug the keyboard from the USB or PS/2 port. If the keyboard is plugged into the PS/2
port, you will need to shut down the computer before unplugging it.
2. Turn the keyboard upside down and gently shake it to remove dirt and dust.
3. Use a can of compressed air to clean between the keys.
4. Moisten a cotton cloth or paper towel with rubbing alcohol, and use it to clean the tops
of the keys. Do not pour alcohol (or any other liquid) directly onto the keys.
5. Reconnect the keyboard to the computer once it is dry. If you are connecting it to a PS/2
port, you will need to connect it before turning the computer on.

 Dealing with Liquids

If you spill liquid on the keyboard, quickly shut down the computer, and disconnect and turn the
keyboard upside down to allow the liquid to drain.

If the liquid is sticky, you will need to hold the keyboard on its side under running water to rinse
the sticky liquid away. Then, turn the keyboard upside down to drain for two days before
reconnecting it. The keyboard may not be repairable at this point, but rinsing the sticky liquid off
the keyboard is the only chance for it to be usable again. The best way to avoid this situation is to
keep drinks away from the computer area.

10
THREATS (COMPUTER)
 In computer security a threat is a possible danger that might exploit a vulnerability to breach
security and thus cause possible harm.
 Ii can also be refered to as a potential cause of an incident, that may result in harm of systems and
organization.
 A threat can be either "intentional" (i.e., intelligent; e.g., an individual cracker or a criminal
organization) or "accidental" (e.g., the possibility of a computer malfunctioning, or the
possibility of a natural disaster such as an earthquake, a fire, or a tornado) or otherwise a
circumstance, capability, action, or event.[1]
 A resource (both physical or logical) can have one or more vulnerabilities that can be
exploited by a threat agent in a threat action. The result can potentially compromise the
Confidentiality, Integrity or Availability properties of resources (potentially different that the
vulnerable one) of the organization and others involved parties (customers, suppliers).
The so-called CIA triad is the basis of Information Security.
 The attack can be active when it attempts to alter system resources or affect their operation:
so it compromises Integrity or Availability. A "passive attack" attempts to learn or make use
of information from the system but does not affect system resources: so it compromises
Confidentiality.
 A set of policies concerned with information security management, the Information security
management systems (ISMS), has been developed to manage, according to Risk management
principles, the countermeasures in order to accomplish to a security strategy set up following
rules and regulations applicable in a country. Countermeasures are also called Security
controls; when applied to the transmission of information are named security services.[9]
 The widespread of computer dependencies and the consequent raising of the consequence of
a successful attack, led to a new term cyberwarfare.
 It should be noted that nowadays the many real attacks exploit Psychology at least as much
as technology. Phishing and Pretexting and other methods are called social engineering
techniques.
 The most widespread documentation on Computer insecurity is about technical threats such
computer virus, trojan and other malware, but a serious study to apply cost effective
countermeasures can only be conducted following a rigorous IT risk analysis in the

11
 framework of an ISMS: a pure technical approach will let out the psychological attacks, that
are increasing threats.
Classification Threats
Threats can be classified according to their type and origin:
Type
1. Physical damage
 fire
 water
 pollution
2. natural events
 climatic
 seismic
 volcanic
3. loss of essential services
 electrical power
 air conditioning
 telecommunication
4. compromise of information
 eavesdropping,
 theft of media
 retrieval of discarded materials
5. technical failures
 equipment
 software
 capacity saturation
6. compromise of functions
 error in use
 abuse of rights
 denial of actions
 Origin
1. Deliberate: aiming at information asset
 spying
 illegal processing of data

12
 2. accidental
 equipment failure
 software failure
3. environmental
 natural event
 loss of power supply

 Note that a threat type can have multiple origins.

THREAT AGENTS
Individuals within a threat population; Practically anyone and anything can, under the right
circumstances, be a threat agent – the well-intentioned, but inept, computer operator who trashes a daily
batch job by typing the wrong command, the regulator performing an audit, or the squirrel that chews
through a data cable.
Threat agents can take one or more of the following actions against an asset:
 Access – simple unauthorized access
 Misuse – unauthorized use of assets (e.g., identity theft, setting up a porn distribution service on a
compromised server, etc.)
 Disclose – the threat agent illicitly discloses sensitive information
 Modify – unauthorized changes to an asset
 Deny access – includes destruction, theft of a non-data asset, etc.
 It’s important to recognize that each of these actions affects different assets differently,
which drives the degree and nature of loss. For example, the potential for productivity loss
resulting from a destroyed or stolen asset depends upon how critical that asset is to the
organization’s productivity.
 If a critical asset is simply illicitly accessed, there is no direct productivity loss. Similarly, the
destruction of a highly sensitive asset that doesn’t play a critical role in productivity won’t
directly result in a significant productivity loss. Yet that same asset, if disclosed, can result in
significant loss of competitive advantage or reputation, and generate legal costs.
 The point is that it’s the combination of the asset and type of action against the asset that
determines the fundamental nature and degree of loss. Which action(s) a threat agent takes
will be driven primarily by that agent’s motive (e.g., financial gain, revenge, recreation, etc.)
and the nature of the asset.
13
 For example, a threat agent bent on financial gain is less likely to destroy a critical server
than they are to steal an easily pawned asset like a laptop.
 It is important to separate the concept of the event that a threat agent get in contact with the
asset (even virtually, i.e. through the network) and the event that a threat agent act against the
asset.
 The term Threat Agent is used to indicate an individual or group that can manifest a threat. It
is fundamental to identify who would want to exploit the assets of a company, and how they
might use them against the company.
Threat Agent = Capabilities + Intentions + Past Activities

These individuals and groups can be classified as follows:

 Non-Target Specific: Non-Target Specific Threat Agents are computer viruses, worms, trojans
and logic bombs.
 Employees: Staff, contractors, operational/maintenance personnel, or security guards who are
annoyed with the company.
 Organized Crime and Criminals: Criminals target information that is of value to them, such as
bank accounts, credit cards or intellectual property that can be converted into money. Criminals
will often make use of insiders to help them.
 Corporations: Corporations are engaged in offensive information warfare or competitive
intelligence. Partners and competitors come under this category.
 Human, Unintentional: Accidents, carelessness.
 Human, Intentional: Insider, outsider.
 Natural: Flood, fire, lightning, meteor, earthquakes.

Threat communities
Threat communities
 Subsets of the overall threat agent population that share key characteristics. The notion of threat
communities is a powerful tool for understanding who and what we’re up against as we try to manage
risk.
 For example, the probability that an organization would be subject to an attack from the terrorist
threat community would depend in large part on the characteristics of your organization relative to
the motives, intents, and capabilities of the terrorists. Is the organization closely affiliated with
ideology that conflicts with known, active terrorist groups? Does the organization represent a high

14
 profile, high impact target? Is the organization a soft target? How does the organization compare with
other potential targets? If the organization were to come under attack, what components of the
organization would be likely targets? For example, how likely is it that terrorists would target the
company information or systems?[6]
 The following threat communities are examples of the human malicious threat landscape many
organizations face:
 Internal
o Employees
o Contractors (and vendors)
o Partners
 External
o Cyber-criminals (professional hackers)
o Spies
o Non-professional hackers
o Activists
o Nation-state intelligence services (e.g., counterparts to the CIA, etc.)
o Malware (virus/worm/etc.) authors

THREAT ACTION
Threat action is an assault on system security.
A complete security architecture deals with both intentional acts (i.e. attacks) and accidental
events.
Various kinds of threat actions are defined as subentries under "threat consequence".

Threat Analysis
Threat analysis is the analysis of the probability of occurrences and consequences of damaging
actions to a [Link] is the basis of risk analysis.

15
Threat Consequences
Threat consequence is a security violation that results from a threat action.
Includes disclosure, deception, disruption, and usurpation.

The following subentries describe four kinds of threat consequences, and also list and describe
the kinds of threat actions that cause each consequence. Threat actions that are accidental events
are marked by "*".
1. "Unauthorized Disclosure" (a threat consequence)
A circumstance or event whereby an entity gains access to data for which the entity is not authorized.
(See: data confidentiality.). The following threat actions can cause unauthorized disclosure:
i. "Exposure"
A threat action whereby sensitive data is directly released to an unauthorized entity. This
includes:
"Deliberate Exposure"
Intentional release of sensitive data to an unauthorized entity.
ii. "Scavenging"
Searching through data residue in a system to gain unauthorized knowledge of sensitive data.
* "Human error"
Human action or inaction that unintentionally results in an entity gaining unauthorized
knowledge of sensitive data.
* "Hardware/software error"
System failure that results in an entity gaining unauthorized knowledge of sensitive data.
iii. "Interception"
A threat action whereby an unauthorized entity directly accesses sensitive data travelling
between authorized sources and destinations. This includes:
iv. "Theft"
Gaining access to sensitive data by stealing a shipment of a physical medium, such as a
magnetic tape or disk, that holds the data.
"Wiretapping (passive)"
v. "Inference"
A threat action whereby an unauthorized entity indirectly accesses sensitive data (but not
necessarily the data contained in the communication) by reasoning from characteristics or
byproducts of communications. This includes:

16
 vi. "Traffic analysis"
Gaining knowledge of data by observing the characteristics of communications that carry the
data.
"Signals analysis"
Gaining indirect knowledge of communicated data by monitoring and analyzing a signal that
is emitted by a system and that contains the data but is not intended to communicate the
data.

vii. "Intrusion"
A threat action whereby an unauthorized entity gains access to sensitive data by
circumventing a system's security protections. This includes:

viii. "Trespass"
Gaining unauthorized physical access to sensitive data by circumventing a system's
protections.

ix. "Penetration"
Gaining unauthorized logical access to sensitive data by circumventing a system's
protections.

x. "Reverse engineering"
Acquiring sensitive data by disassembling and analyzing the design of a system component.

xi. "Cryptanalysis"
Transforming encrypted data into plain text without having prior knowledge of encryption
parameters or processes.

2. "Deception" (a threat consequence)

A circumstance or event that may result in an authorized entity receiving false data and
believing it to be true. The following threat actions can cause deception:
"Masquerade"
A threat action whereby an unauthorized entity gains access to a system or performs a
malicious act by posing as an authorized entity.

17
 a. "Spoof"
Attempt by an unauthorized entity to gain access to a system by posing as an authorized
user.

b. "Malicious logic"
In context of masquerade, any hardware, firmware, or software (e.g., Trojan horse) that
appears to perform a useful or desirable function, but actually gains unauthorized access to
system resources or tricks a user into executing other malicious logic.

c. "Falsification"
A threat action whereby false data deceives an authorized entity. (See: active wiretapping.)

d. "Substitution"
Altering or replacing valid data with false data that serves to deceive an authorized entity.

e. "Insertion"
Introducing false data that serves to deceive an authorized entity.

f. "Repudiation"
A threat action whereby an entity deceives another by falsely denying responsibility for an
act.
"False denial of origin"
Action whereby the originator of data denies responsibility for its generation.
. "False denial of receipt"
Action whereby the recipient of data denies receiving and possessing the data.

3. "Disruption" (a threat consequence)

A circumstance or event that interrupts or prevents the correct operation of system services
and functions. The following threat actions can cause disruption:

I. "Incapacitation"
A threat action that prevents or interrupts system operation by disabling a system component.

II. "Malicious logic"

18
 In context of incapacitation, any hardware, firmware, or software (e.g., logic bomb)
intentionally introduced into a system to destroy system functions or resources.
"Physical destruction"
Deliberate destruction of a system component to interrupt or prevent system operation.

* "Human error"
Action or inaction that unintentionally disables a system component.

* "Hardware or software error"

Error that causes failure of a system component and leads to disruption of system operation.

* "Natural disaster"
Any "act of God" (e.g., fire, flood, earthquake, lightning, or wind) that disables a system
component.[18]

III. "Corruption"
A threat action that undesirably alters system operation by adversely modifying system
functions or data.

IV. "Tamper"
In context of corruption, deliberate alteration of a system's logic, data, or control information
to interrupt or prevent correct operation of system functions.

V. "Malicious logic"
In context of corruption, any hardware, firmware, or software (e.g., a computer virus)
intentionally introduced into a system to modify system functions or data.

* "Human error"
Human action or inaction that unintentionally results in the alteration of system functions or
data.

* "Hardware or software error"

Error that results in the alteration of system functions or data.

19
 * "Natural disaster"
Any "act of God" (e.g., power surge caused by lightning) that alters system functions or data.
[18]

"Obstruction"
A threat action that interrupts delivery of system services by hindering system operations.

"Interference"
Disruption of system operations by blocking communications or user data or control
information.

"Overload"
Hindrance of system operation by placing excess burden on the performance capabilities of a
system component.

4. "Usurpation" (a threat consequence)

A circumstance or event that results in control of system services or functions by an
unauthorized entity. The following threat actions can cause usurpation:

a. "Misappropriation"
A threat action whereby an entity assumes unauthorized logical or physical control of a
system resource.

"Theft of service"
Unauthorized use of service by an entity.

"Theft of functionality"
Unauthorized acquisition of actual hardware, software, or firmware of a system component.

"Theft of data"
Unauthorized acquisition and use of data.

b. "Misuse"

20
 A threat action that causes a system component to perform a function or service that is
detrimental to system security.

c. "Tamper"
In context of misuse, deliberate alteration of a system's logic, data, or control information to
cause the system to perform unauthorized functions or services.

d. "Malicious logic"
In context of misuse, any hardware, software, or firmware intentionally introduced into a
system to perform or control execution of an unauthorized function or service.
"Violation of permissions"

Action by an entity that exceeds the entity's system privileges by executing an unauthorized
function.

21
SUMMARY:

Threats to Computer Security

 Computer systems are vulnerable to many threats that can inflict various types of damage
resulting in significant losses.
 This damage can range from errors harming database integrity to fires destroying entire
computer centers.
 Losses can stem, for example, from the actions of supposedly trusted employees defrauding a
system, from outside hackers, or from careless data entry clerks.
 Precision in estimating computer security-related losses is not possible because many losses
are never discovered, and others are "swept under the carpet" to avoid unfavorable publicity.
 The effects of various threats varies considerably: some affect the confidentiality or integrity
of data while others affect the availability of a system.

1. Errors and Omissions

Errors and omissions are an important threat to data and system integrity. These errors are caused
not only by data entry clerks processing hundreds of transactions per day, but also by all types of
users who create and edit data. Many programs, especially those designed by users for personal
computers, lack quality control measures. However, even the most sophisticated programs
cannot detect all types of input errors or omissions. A sound awareness and training program can
help an organization reduce the number and severity of errors and omissions.
Users, data entry clerks, system operators, and programmers frequently make errors that
contribute directly or indirectly to security problems. In some cases, the error is the threat, such
as a data entry error or a programming error that crashes a system. In other cases, the errors
create vulnerabilities. Errors can occur during all phases of the systems life cycle.

2. Fraud and Theft

Computer systems can be exploited for both fraud and theft both by "automating" traditional
methods of fraud and by using new methods. For example, individuals may use a computer to
skim small amounts of money from a large number of financial accounts, assuming that small
discrepancies may not be investigated. Financial systems are not the only ones at risk. Systems
that control access to any resource are targets (e.g., time and attendance systems, inventory

22
systems, school grading systems, and long-distance telephone systems). Computer fraud and
theft can be committed by insiders or outsiders. Insiders (i.e., authorized users of a system) are
responsible for the majority of fraud.
Since insiders have both access to and familiarity with the victim computer system (including
what resources it controls and its flaws), authorized system users are in a better position to
commit crimes. Insiders can be both general users (such as clerks) or technical staff members.
An organization's former employees, with their knowledge of an organization's operations, may
also pose a threat, particularly if their access is not terminated promptly.

3. Employee Sabotage
Employees are most familiar with their employer's computers and applications, including
knowing what actions might cause the most damage, mischief, or sabotage. The downsizing of
organizations in both the public and private sectors has created a group of individuals with
organizational knowledge, who may retain potential system access (e.g., if system accounts are
not deleted in a timely manner). The number of incidents of employee sabotage is believed to be
much smaller than the instances of theft, but the cost of such incidents can be quite high.

Common examples of computer-related employee sabotage include:

a. destroying hardware or facilities,
b. planting logic bombs that destroy
c. programs or data,
d. entering data incorrectly,
e. "crashing" systems,
f. deleting data,
g. holding data hostage, and
h. changing data.

4. Loss of Physical and Infrastructure Support

The loss of supporting infrastructure includes power failures (outages, spikes, and brownouts),
loss of communications, water outages and leaks, sewer problems, lack of transportation
services, fire, flood, civil unrest, and strikes.
5. Malicious Hackers

23
The term malicious hackers, sometimes called crackers, refers to those who break into computers
without authorization. They can include both outsiders and insiders. Much of the rise of hacker
activity is often attributed to increases in connectivity in both government and industry. One
1992 study of a particular Internet site (i.e., one computer system) found that hackers attempted
to break in at least once every other day. The hacker threat should be considered in terms of past
and potential future damage. Although current losses due to hacker attacks are significantly
smaller than losses due to insider theft and sabotage, the hacker problem is widespread and
serious.

6. Industrial Espionage
Industrial espionage is the act of gathering proprietary data from private companies or the
government for the purpose of aiding another company(ies). Industrial espionage can be
perpetrated either by companies seeking to improve their competitive advantage or by
governments seeking to aid their domestic industries. Foreign industrial espionage carried out by
a government is often referred to as economic espionage. Since information is processed and
stored on computer systems, computer security can help protect against such threats; it can do
little, however, to reduce the threat of authorized employees selling that information.

7. Malicious Code / Software

Malicious code refers to viruses, worms, Trojan horses, logic bombs, and other "uninvited"
software. Sometimes mistakenly associated only with personal computers, malicious code can
attack other platforms. Actual costs attributed to the presence of malicious code have resulted
primarily from system outages and staff time involved in repairing the systems. Nonetheless,
these costs can be significant.
Examples of malicious software’s:
Virus: A code segment that replicates by attaching copies of itself to existing executables. The
new copy of the virus is executed when a user executes the new host program. The virus may
include an additional "payload" that triggers when specific conditions are met. For example,
some viruses display a text string on a particular date. There are many types of viruses, including
variants, overwriting, resident, stealth, and polymorphic.
Trojan Horse: A program that performs a desired task, but that also includes unexpected (and
undesirable) functions. Consider as an example an editing program for a multiuser system. This

24
program could be modified to randomly delete one of the users' files each time they perform a
useful function (editing), but the deletions are unexpected and definitely undesired!
Worm: A self-replicating program that is self-contained and does not require a host program.
The program creates a copy of itself and causes it to execute; no user intervention is required.
Worms commonly use network services to propagate to other host systems.

8. Threats to Personal Privacy

The accumulation of vast amounts of electronic information about individuals by governments,
credit bureaus, and private companies, combined with the ability of computers to monitor,
process, and aggregate large amounts of information about individuals have created a threat to
individual privacy. The possibility that all of this information and technology may be able to be
linked together has arisen as a specter of the modern information age.

25