CompTIA Security_ Deluxe Study Guide_ SY0-201 - Emmett Dulaney [31]
After you’ve determined the costs, you can then evaluate the likelihood that certain types of events will occur and the most likely outcome if they do occur. If you work in New York City, what is the likelihood of damage to your business from an earthquake? Will your risk assessment place the high probability of an earthquake on your list of primary concerns?
Identifying Threats
Implementing a security policy requires that you evaluate the risks of both internal and external threats to the data and network. It does little good to implement a high-security environment to protect your company from the outside if the threat is mostly internal. If a member of your team brings a disk containing a virus into the office and loads it onto a computer, the virus may spread throughout the entire network and effectively be immune to your external security measures. This is a common problem in schools, libraries, and environments where people regularly use shared resources. If a library offers computers for public use and those computers are in a network, a virus could infect all of the systems throughout the network. External security measures won’t prevent potential damage or data loss.
Internal threats also include employee fraud, abuse or alteration of data, and theft of property. Both policies and systems must be put into place to detect and mitigate these possibilities. Investigating and making recommendations to management on procedural changes and policies is a key role for computer security professionals. Figure 1.17 depicts some examples of internal and external threats.
FIGURE1.17 Internal and external threats to an organization
Internal Threats
Most well-publicized internal threats involve financial abuses. Some of these abuses are outright fraud or theft. These types of threats, especially in a computer-intensive environment, can be difficult to detect and investigate. They are typically ongoing and involve small transactions over long periods. A recent incident of fraud that occurred in a large software manufacturer involved an accounting professional who generated bogus checks in payment for work that never occurred. Over a few months, this employee was able to make over $100,000 in fraudulent payments to companies that she or relatives had created. It took considerable investigation by computer and financial auditors to determine how this theft occurred. From a computer security perspective, this was an internal threat that was the result of failures in financial, operational, and computer security controls. These types of incidents probably occur more frequently than anyone wants to admit, and many times more often than anyone becomes aware of.
Another incident involved an employee who was using corporate computer resources to operate a financial accounting service. This employee had been running this business for several years. When the company found out, it immediately fired the employee and confiscated his records. During the investigation, the process used to collect evidence inadvertently tainted it. The chain of custody in this case was broken. When the employee went to court over this situation, his attorney was able to have the evidence thrown out of court. Even though the employee was clearly guilty, the judge dismissed the case due to a lack of admissible evidence. The employee then sued the company for wrongful discharge, harassment, and several other charges. He won those suits, and he got his old job back. In this instance, the internal policies and systems put into place to detect, investigate, and correct the problem broke down. It cost the company a huge amount of money and allowed a known embezzler back in.
We’ll discuss chains of custody, incident response, and the proper way to conduct investigations in Chapter 8. For now, it’s important to know that finding and dealing