Common Information Security Threats
There are many information security threats that we need to be constantly aware of and protect against in order to ensure our sensitive information remains secure. This article details 12 different information security threats that are commonly found, together with some preventative measures that can be taken.
This article is just one of the many materials that form part of the ’Highway of Threats’ awareness campaign. See the Campaigns section of the site for more details on this.
Unauthorized Access – Enter at your own risk
The attempted or successful access of information or systems, without permission or rights to do so.
- Ensure you have a properly configured firewall, up to date malware prevention software and all software has the latest security updates.
- Protect all sensitive information, utilizing encryption where appropriate, and use strong passwords that are changed regularly.
Cyber Espionage – Hey, get off my network!
The act of spying through the use of computers, involving the covert access or ‘hacking’ of company or government networks to obtain sensitive information.
- Be alert for social engineering attempts and verify all requests for sensitive information.
- Ensure software has the latest security updates, your network is secure and monitor for unusual network behaviour.
Malware – You installed what?!
A collective term for malicious software, such as viruses, worms and trojans; designed to infiltrate systems and information for criminal, commercial or destructive purposes.
- Ensure you have a properly configured firewall, up to date malware prevention and all software has the latest security updates.
- Do not click links or open attachments in emails from unknown senders, visit un-trusted websites or install dubious software.
Data Leakage – I seek what you leak
The intentional or accidental loss, theft or exposure of sensitive company or personal information.
- Ensure all sensitive information stored on removable storage media, mobile devices or laptops is encrypted
- Be mindful of what you post online, check email recipients before pressing send, and never email sensitive company information to personal email accounts.
Mobile Device Attack – Lost, but not forgotten
The malicious attack on, or unauthorized access of, mobile devices and the information stored or processed by them; performed wirelessly or through physical possession.
- Keep devices with you at all times, encrypt all sensitive data and removable storage media, and use strong passwords.
- Avoid connecting to insecure, un-trusted public wireless networks and ensure Bluetooth is in ‘undiscoverable’ mode.
Social Engineering – Go find some other mug
Tricking and manipulating others by phone, email, online or in-person, into divulging sensitive information, in order to access company information or systems.
- Verify all requests for sensitive information, no matter how legitimate they may seem, and never share your passwords with anyone – not even the helpdesk.
- Never part with sensitive information if in doubt, and report suspected social engineering attempts immediately.
Insiders – I see bad people
An employee or worker with malicious intent to steal sensitive company information, commit fraud or cause damage to company systems or information.
- Ensure access to sensitive information is restricted to only those that need it and revoke access when no longer required.
- Report all suspicious activity or workers immediately.
Phishing – Think before you link
A form of social engineering, involving the sending of legitimate looking emails aimed at fraudulently extracting sensitive information from recipients, usually to gain access to systems or for identity theft.
- Look out for emails containing unexpected or unsolicited requests for sensitive information, or contextually relevant emails from unknown senders.
- Never click on suspicious looking links within emails, and report all suspected phishing attempts immediately.
System Compromise – Only the strong survive
A system that has been attacked and taken over by malicious individuals or ‘hackers’, usually through the exploitation of one or more vulnerabilities, and then often used for attacking other systems.
- Plug vulnerable holes by ensuring software has the latest security updates and any internally developed software is adequately security reviewed.
- Ensure systems are hardened and configured securely, and regularly scan them for vulnerabilities.
Spam – Email someone else
Unsolicited email sent in bulk to many individuals, usually for commercial gain, but increasingly for spreading malware.
- Only give your email to those you trust and never post your address online for others to view.
- Use a spam filter and never reply to spam emails or click links within them.
Denial of Service – Are you still there?
An intentional or unintentional attack on a system and the information stored on it, rendering the system unavailable and inaccessible to authorized users.
- Securely configure and harden all networks and network equipment against known DoS attacks.
- Monitor networks through log reviews and the use of intrusion detection or prevention systems.
Identity Theft – You will never be me
The theft of an unknowing individual’s personal information, in order to fraudulently assume that individual’s identity to commit a crime, usually for financial gain.
- Never provide personal information to un-trusted individuals or websites.
- Ensure personal information is protected when stored and securely disposed of when no longer needed.
These threats are presented through many different customizable products and posters in the MindfulSecurity.com store – check them out!