1

Threats
Category of Threats
2
 9.

Missing, inadequate, or incomplete organizational policy or planning makes an organization vulnerable to loss,
damage, or disclosure of information assets.

The organization’s executive leadership is responsible for strategic planning for security as well as for IT and
business functions—a task known as governance.

3
 10
This category of threat involves the deliberate sabotage of a computer system or business, or acts of vandalism
to either destroy an asset or damage the image of an organization. These acts can range from petty vandalism by
employees to organized sabotage against an organization.

Vandalism to a Web site can erode consumer confidence, thus diminishing an organization’s sales and net worK,
as well as its reputation.

For example, in July 13, 2001, a group known as Fluffi Bunni left its mark on the front page of the SysAdmin, Audit,
Network, Security (SANS) Institute, a cooperative research and education organization. This event was particularly
embarrassing to SANS Institute management, since the Institute provides security certification programs. The
defacement read, “Would you really trust these guys to teach you security.

4
 Compared to Web site defacement, vandalism within a network is more malicious in intent and less public.
Today, another form of online vandalism is prevailing-- hacktivist or cyber activist operations, which interfere with
or disrupt systems to protest the operations, policies, or actions of an organization or government agency.

In November 2009, a group calling itself “anti-fascist hackers” defaced the Web site of David Irving, English
author and holocaust denier who wrote on the military and political history of World War II with a focus on Nazi
Germany. They also released his private e-mail correspondence, secret locations of his events, and detailed
information about people attending those events. This information was posted on the Web site WikiLeaks, an
organization that publishes sensitive leaked news provided by anonymous sources.

Irving's reputation as a historian was discredited in 1996 due to an unsuccessful false case he filed against the
American historian Deborah Lipstadt and Penguin Books, he was proven to have deliberately misrepresented
historical evidence to promote Holocaust denial and whitewash the Nazis.
The English court found that Irving was an active Holocaust denier and racist, who "for his own ideological reasons
persistently and deliberately misrepresented and manipulated historical evidence". In addition, the court found that
Irving's books had distorted the history of Hitler's role in the Holocaust to depict Hitler in a favourable light.

5
 A much more sinister form of hacking is cyberterrorism. Cyberterrorists hack systems to conduct terrorist
activities via network or Internet pathways. Cyberterrorism is the premeditated, politically motivated attacks against
information, computer systems, computer programs, and data which result in violence against non combatant targets
by subnational groups or clandestine agents.

Cyberterrorism has thus far been largely limited to acts such as the defacement of NATO Web pages during
the war in Kosovo.

6
 11
The threat of theft—the illegal taking of another’s property, which can be either physical or electronic or
intellectual. The value of information is diminished when it is copied without the owner’s knowledge.

Physical theft can be controlled quite easily by means of a wide variety of measures, from locked doors to
trained security personnel and the installation of alarm systems. When someone steals a physical object, the loss is
easily detected; if it has any importance at all, its absence is noted.

Electronic theft, however, is a more complex problem to manage and control. When electronic information is
stolen, the crime is not always readily apparent. If thieves are clever and cover their tracks carefully, no one may ever
know of the crime until it is far too late.

7
 12
Technical hardware failures or errors occur when a manufacturer distributes equipment containing a known or
unknown flaw.

These defects can cause the system to perform outside of expected parameters, resulting in unreliable service or
lack of availability. Some errors are terminal—that is, they result in the unrecoverable loss of the equipment. Some
errors are intermittent, in that they only periodically manifest themselves, resulting in faults that are not easily
repeated, and thus, equipment can sometimes stop working, or work in unexpected ways.

One of the best-known hardware failures is that of the Intel Pentium II chip, which had a defect that resulted in a
calculation error under certain circumstances. Intel initially expressed little concern for the defect. Yet within days,
popular computing journals were publishing a simple calculation (the division of 4195835 by 3145727) that
determined whether an individual’s machine contained the defective chip and thus the floating-point operation bug.

8
This Pentium floating-point division bug (FDIV) led to a public relations disaster for Intel that resulted in its first-ever
chip recall and a loss of over $475 million.

A few months later, disclosure of another bug, known as the Dan-0411 flag further eroded the chip manufacturer’s
public image This bug occurs with operations that convert floating point numbers into integers.

In 1998, when Intel released its Xeon chip, it also had hardware errors. Intel said, “All new chips have bugs, and the
process of debugging and improving performance inevitably continues even after a product is in the market.”