In computer security, a vulnerability is a weakness which allows an attacker to reduce a system's information assurance. Vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw.

Examples of vulnerability: an attacker convinces a user to open an

email message with attached malware; a flood damage your computer systems

installed at ground floor.

• Advances in telecommunications and Advances in telecommunications and computer softwarecomputer software

• Unauthorized access, abuse, or fraud Unauthorized access, abuse, or fraud

• Hackers Hackers

• Computer virusComputer virus

• Hardware problems• Breakdowns, configuration errors, damage from

improper use or crime

• Software problems• Programming errors, installation errors, unauthorized

changes)

• Disasters• Power failures, flood, fires, etc.

The types of threats that large public networks, like the Internet, face because they are open to virtually anyone. Internet is so huge that when abuses do occur, they can have an enormously widespread impact. And when the Internet becomes part of the corporate network, the organization’s information systems are even more vulnerable to actions from outsiders.• Network open to anyone• Size of Internet means abuses can have

wide impact• E-mail used for transmitting trade

secrets

• Identity theft: Theft of personal Information (social security id, driver’s license or credit card numbers) to impersonate someone else

• Phishing: Setting up fake Web sites or sending e-mail messages that look like legitimate businesses to ask users for confidential personal data.

• Evil twins: Wireless networks that pretend to offer trustworthy Wi-Fi connections to the Internet.

• Internal threats – Employees

• Security threats often originate inside an organization

• Inside knowledge

People inside the company with access to the system can leak the information.

• Social engineering:

• Tricking employees into revealing their passwords by pretending to be legitimate members of the company in need of information

• Inadequate security and control may create serious legal liability.

• Businesses must protect not only their own information assets but also those of customers, employees, and business partners. Failure to do so can lead to costly litigation for data exposure or theft.

• A sound security and control framework that protects business information assets can thus produce a high return on investment.

• Lack of security, control can lead to• Loss of revenue

• Failed computer systems can lead to significant or total loss of business function

• Lowered market value: • Information assets can have tremendous value

• A security breach may cut into firm’s market value almost immediately

• Lowered employee productivity

• Higher operational costs

Electronic Records Management (ERM): Policies, procedures and tools for managing the retention, destruction, and storage of electronic records .

Data Security and Control Laws:• Firms face new legal obligations for the

retention and storage of electronic records as well as for privacy protection

• HIPAA (The Health Insurance Portability and Accountability Act ): Medical security and privacy rules and procedures

• Gramm-Leach-Bliley Act: Requires financial institutions to ensure the security and confidentiality of customer data

• Sarbanes-Oxley Act: Imposes responsibility on companies and their management to safeguard the accuracy and integrity of financial information that is used internally and released externally

• the Computer Fraud and Abuse Act in 1986

• the National Information Infrastructure Protection Act in 1996

Ensuring Business Continuity • Fault-tolerant computer systems:

Redundant hardware, software, and power supply components to provide continuous, uninterrupted service

• High-availability computing: Designing to maximize application and system availability

Recovery-oriented computing: Designing computing systems to recover more rapidly from mishaps

• Disaster recovery planning: Plans for restoration of computing and communications disrupted by an event such as an earthquake, flood, or terrorist attack

• Business continuity planning: Focuses on restoring business operations after disaster.

• MIS audit: Identifies all of the

controls that govern individual

information systems and assesses

their effectiveness

• Security audits: Review technologies,

procedures, documentation, training,

and personnel.

Access control: Consists of all the policies and procedures a company uses to prevent improper access to systems by unauthorized insiders and outsiders.

Firewalls: Hardware and software controlling flow of incoming and outgoing network traffic.

Intrusion detection systems: Full-time monitoring tools placed at the most vulnerable points of corporate networks to detect the intruders.

Antivirus software: Software that checks computer systems and drives for the presence of computer viruses and can eliminate the virus from the infected area

• Walkthrough:Walkthrough: Review of Review of specification or design document by specification or design document by small group of people small group of people

• Debugging:Debugging: Process of discovering Process of discovering and eliminating errors and defects in and eliminating errors and defects in program codeprogram code

Data quality auditData quality audit

• Survey and/or sample of files Survey and/or sample of files

• Determines accuracy and completeness of data Determines accuracy and completeness of data

Data cleansingData cleansing

• Correcting errors and inconsistencies in data to Correcting errors and inconsistencies in data to increase accuracy increase accuracy

Message integrity: The ability to be certain that the message being sent arrives at the proper destination without being copied or changed.

• Digital signature: A digital code attached to an electronically transmitted message that is used to verify the origin and contents of a message

• Digital certificates: Data files used to establish the identity of users and electronic assets for protection of online transactions